=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 18-01-2024 18:00 − Freitag 19-01-2024 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ TeamViewer abused to breach networks in new ransomware attacks ∗∗∗
---------------------------------------------
Ransomware actors are again using TeamViewer to gain initial access to organization endpoints and attempt to deploy encryptors based on the leaked LockBit ransomware builder.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/teamviewer-abused-to-breach-…
∗∗∗ macOS Python Script Replacing Wallet Applications with Rogue Apps, (Fri, Jan 19th) ∗∗∗
---------------------------------------------
Still today, many people think that Apple and its macOS are less targeted by malware. But the landscape is changing and threats are emerging in this ecosystem too.
---------------------------------------------
https://isc.sans.edu/diary/rss/30572
∗∗∗ Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software ∗∗∗
---------------------------------------------
Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.
---------------------------------------------
https://thehackernews.com/2024/01/experts-warn-of-macos-backdoor-hidden.html
∗∗∗ Taking over WhatsApp accounts by reading voicemails ∗∗∗
---------------------------------------------
The investigation is centered on a vulnerability related to the Personal Identification Number (PIN) required for authenticating WhatsApp’s account backup feature. I describe how this PIN could be compromised through a voice call backup delivery method, forcing the call to go voicemail, and spoofing the victims phone number to read their voicemail.
---------------------------------------------
https://medium.com/@rramgattie/taking-over-whatsapp-accounts-by-reading-voi…
∗∗∗ Recovery Scam: Kriminelle geben sich als blockchain.com aus und informieren über angeblich ruhende Bitcoin-Wallet ∗∗∗
---------------------------------------------
Opfer einer betrügerischen Trading-Plattform erleiden mitunter erhebliche finanzielle Verluste. Entsprechend groß ist die Verzweiflung und der Wunsch, das Geld zurückzubekommen. Kriminelle nutzen dies aus und kontaktieren die Opfer nach einiger Zeit erneut.
---------------------------------------------
https://www.watchlist-internet.at/news/recovery-scam-kriminelle-geben-sich-…
∗∗∗ Virtual kidnapping: How to see through this terrifying scam ∗∗∗
---------------------------------------------
Phone fraud takes a frightening twist as fraudsters can tap into AI to cause serious emotional and financial damage to the victims.
---------------------------------------------
https://www.welivesecurity.com/en/scams/virtual-kidnapping-see-through-scam/
∗∗∗ Ivanti Connect Secure VPN Exploitation: New Observations ∗∗∗
---------------------------------------------
Volexity also recently learned of a potential issue that organizations may be facing when attempting to bring fresh Ivanti Connect Secure VPN appliances back online that leave them in a vulnerable state. These findings may partially account for why there has been an increase in compromised systems in subsequent scans.
---------------------------------------------
https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploita…
=====================
= Vulnerabilities =
=====================
∗∗∗ VMware confirms critical vCenter flaw now exploited in attacks ∗∗∗
---------------------------------------------
VMware has confirmed that a critical vCenter Server remote code execution vulnerability patched in October is now under active exploitation.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vce…
∗∗∗ Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package ∗∗∗
---------------------------------------------
A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines.
---------------------------------------------
https://thehackernews.com/2024/01/npm-trojan-bypasses-uac-installs.html
∗∗∗ Smartphones und mehr: Auch Umgebungslichtsensoren können spionieren ∗∗∗
---------------------------------------------
Nicht nur Smartphone-Kameras können Personen ausspionieren, sondern auch Umgebungslichtsensoren. Das geht aus einer in "Science" veröffentlichen Studie hervor.
---------------------------------------------
https://heise.de/-9601724
∗∗∗ Angreifer attackieren Ivanti EPMM und MobileIron Core ∗∗∗
---------------------------------------------
Angreifer nutzen derzeit eine kritische Sicherheitslücke in Ivanti EPMM und MobileIron Core aus.
---------------------------------------------
https://www.heise.de/news/Angreifer-attackieren-Ivanti-EPMM-und-MobileIron-…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (ImageMagick), Debian (chromium), Fedora (golang-x-crypto, golang-x-mod, golang-x-net, golang-x-text, gtkwave, redis, and zbar), Mageia (tinyxml), Oracle (.NET 7.0, .NET 8.0, java-1.8.0-openjdk, java-11-openjdk, python3, and sqlite), Red Hat (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and java-21-openjdk), SUSE (kernel, libqt5-qtbase, libssh, pam, rear23a, and rear27a), and Ubuntu (pam and zookeeper).
---------------------------------------------
https://lwn.net/Articles/958676/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium, golang-github-facebook-time, podman, and xorg-x11-server-Xwayland), Oracle (.NET 6.0, java-1.8.0-openjdk, java-11-openjdk, and python3.11-cryptography), Red Hat (java-11-openjdk, python-requests, and python-urllib3), SUSE (chromium, kernel, libcryptopp, libuev, perl-Spreadsheet-ParseExcel, suse-module-tools, and xwayland), and Ubuntu (filezilla and xerces-c).
---------------------------------------------
https://lwn.net/Articles/958760/
∗∗∗ Important Progress OpenEdge Critical Alert for Progress Application Server in OpenEdge (PASOE) - Arbitrary File Upload Vulnerability in WEB Transport ∗∗∗
---------------------------------------------
https://community.progress.com/s/article/Important-Progress-OpenEdge-Critic…
∗∗∗ ZDI Security Advisories ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/published/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 17-01-2024 18:00 − Donnerstag 18-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Missbrauch möglich: Whatsapp lässt fremde Nutzer Geräteinformationen abgreifen ∗∗∗
---------------------------------------------
Anhand ihrer Rufnummer lässt sich zum Beispiel feststellen, wie viele Geräte eine Zielperson mit Whatsapp verwendet und wann sie diese wechselt.
---------------------------------------------
https://www.golem.de/news/missbrauch-moeglich-whatsapp-laesst-fremde-nutzer…
∗∗∗ New Microsoft Incident Response guides help security teams analyze suspicious activity ∗∗∗
---------------------------------------------
Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2024/01/17/new-microsoft-inci…
∗∗∗ More Scans for Ivanti Connect "Secure" VPN. Exploits Public, (Thu, Jan 18th) ∗∗∗
---------------------------------------------
Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth.
---------------------------------------------
https://isc.sans.edu/diary/rss/30568
∗∗∗ PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft ∗∗∗
---------------------------------------------
Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification used widely in modern computers.Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II (EDK II) and could be exploited to
---------------------------------------------
https://thehackernews.com/2024/01/pixiefail-uefi-flaws-expose-millions-of.h…
∗∗∗ MFA Spamming and Fatigue: When Security Measures Go Wrong ∗∗∗
---------------------------------------------
MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications.
---------------------------------------------
https://thehackernews.com/2024/01/mfa-spamming-and-fatigue-when-security.ht…
∗∗∗ Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware ∗∗∗
---------------------------------------------
[..] COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.Googles Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence.
---------------------------------------------
https://thehackernews.com/2024/01/russian-coldriver-hackers-expand-beyond.h…
∗∗∗ Daten aus GPU belauscht: KI-Sicherheitslücke bei Apple Silicon, AMD und Qualcomm ∗∗∗
---------------------------------------------
Sicherheitsforscher haben ein Problem in den Grafikkernen älterer iPhones und Macs entdeckt, außerdem bei AMD und Qualcomm. Apple patcht – teilweise.
---------------------------------------------
https://heise.de/-9600829
∗∗∗ Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers ∗∗∗
---------------------------------------------
Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system.
---------------------------------------------
https://blog.talosintelligence.com/exploring-malicious-windows-drivers-part…
∗∗∗ Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024 ∗∗∗
---------------------------------------------
Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager.
Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator [..] There are also multiple vulnerabilities in AVideo [..]
All the vulnerabilities mentioned in this blog post have been patched by their respective vendors
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-roundup-jan-17-2024/
=====================
= Vulnerabilities =
=====================
∗∗∗ Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001 ∗∗∗
---------------------------------------------
The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).
Sites that do not use the Comment module are not affected.
---------------------------------------------
https://www.drupal.org/sa-core-2024-001
∗∗∗ MOVEit Transfer: Updates gegen DOS-Lücke ∗∗∗
---------------------------------------------
Updates für MOVEit Transfer dichten Sicherheitslecks ab, durch die Angreifer Rechenfehler provozieren oder den Dienst lahmlegen können.
---------------------------------------------
https://heise.de/-9601492
∗∗∗ Trend Micro: Sicherheitslücken in Security-Agents ermöglichen Rechteausweitung ∗∗∗
---------------------------------------------
Trend Micro warnt vor Sicherheitslücken in den Security-Agents, durch die Angreifer ihre Rechte ausweiten können. Software-Updates stehen bereit.
---------------------------------------------
https://heise.de/-9601595
∗∗∗ Nextcloud: Lücken in Apps gefährden Nutzerkonten und Datensicherheit ∗∗∗
---------------------------------------------
In mehreren Erweiterungen, etwa zur Lastverteilung, zur Anmeldung per OAuth und ZIP-Download, klaffen Löcher. Updates sind bereits verfügbar.
---------------------------------------------
https://heise.de/-9601589
∗∗∗ 2024-01 Security Bulletin: Junos OS and Junos OS Evolved: rpd process crash due to BGP flap on NSR-enabled devices (CVE-2024-21585) ∗∗∗
---------------------------------------------
An Improper Handling of Exceptional Conditions vulnerability in BGP session processing of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker, using specific timing outside the attacker's control, to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. Continued BGP session flapping will create a sustained Denial of Service (DoS) condition.
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos…
∗∗∗ 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗
---------------------------------------------
Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF04.
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S…
∗∗∗ Oracle Releases Critical Patch Update Advisory for January 2024 ∗∗∗
---------------------------------------------
Oracle released its Critical Patch Update Advisory for January 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/01/18/oracle-releases-critical…
∗∗∗ Multiple Dahua Technology products vulnerable to authentication bypass ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN83655695/
∗∗∗ There is a vulnerability in batik-all-1.15.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-44730 and CVE-2022-44729) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7107742
∗∗∗ IBM Maximo Manage is vulnerable to attack due to Eclipse Jetty ( IBM X-Force ID 261776) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7107716
∗∗∗ There is a vulnerability in CSRF Token used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-47718) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7107740
∗∗∗ IBM Asset Data Dictionary Component uses bcprov-jdk18on-1.72.jar which is vulnerable to CVE-2023-33201 and CVE-2023-33202 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7108953
∗∗∗ IBM Maximo Application Suite and IBM Maximo Application Suite - IoT Component uses Werkzeug-2.2.3-py3-none-any.whl which is vulnerable to CVE-2023-46136 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7108960
∗∗∗ IBM Asset Data Dictionary Component uses netty-codec-http2-4.1.94, netty-handler-4.1.86 and netty-handler-4.1.92 which is vulnerable to CVE-2023-44487 and CVE-2023-34462 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7108959
∗∗∗ IBM Storage Ceph is vulnerable to Use After Free in the RHEL UBI (CVE-2023-4813) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7108974
∗∗∗ IBM Storage Ceph is vulnerable to Cross Site Scripting in Grafana (CVE-2022-39324) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7108973
∗∗∗ AVEVA PI Server ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 16-01-2024 18:00 − Mittwoch 17-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Jetzt patchen! Vorsicht vor DoS-Angriffen auf Citrix NetScaler ADC und Gateway ∗∗∗
---------------------------------------------
Citrix hat Produkte seiner NetScaler-Serie auf den aktuellen Stand gebracht und gegen laufende Attacken gerüstet.
---------------------------------------------
https://www.heise.de/-9599627.html
∗∗∗ Tausende Geräte kompromittiert durch Ivanti-Sicherheitslücken ∗∗∗
---------------------------------------------
Die Schwachstellen in Ivantis VPN-Software werden massiv angegriffen. IT-Forscher haben tausende kompromittierte Systeme gefunden.
---------------------------------------------
https://www.heise.de/-9599887.html
∗∗∗ LKA warnt vor WhatsApp-Betrugsmasche ∗∗∗
---------------------------------------------
Eine neue Betrugsmasche setzt auf erneutes Kontaktieren von Opfern vorheriger Betrügereien. Davor warnt das LKA Niedersachsen.
---------------------------------------------
https://www.heise.de/-9600403.html
∗∗∗ Apple, AMD, Qualcomm: GPUs mehrerer Hersteller anfällig für Datenklau ∗∗∗
---------------------------------------------
Ein Angriff ist wohl einfach ausführbar und benötigt weniger als 10 Zeilen Code. Abgreifen lassen sich zum Beispiel Unterhaltungen mit KI-Chatbots.
---------------------------------------------
https://www.golem.de/news/apple-amd-qualcomm-gpus-mehrerer-hersteller-anfae…
∗∗∗ GitHub rotates keys to mitigate impact of credential-exposing flaw ∗∗∗
---------------------------------------------
GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/github-rotates-keys-to-mitig…
∗∗∗ PAX PoS Terminal Flaw Could Allow Attackers to Tamper with Transactions ∗∗∗
---------------------------------------------
The point-of-sale (PoS) terminals from PAX Technology are impacted by a collection of high-severity vulnerabilities that can be weaponized by threat actors to execute arbitrary code.
---------------------------------------------
https://thehackernews.com/2024/01/pax-pos-terminal-flaw-could-allow.html
∗∗∗ Whats worse than paying an extortion bot that auto-pwned your database? ∗∗∗
---------------------------------------------
Paying one that lied to you and only saved the first 20 rows of each table
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/01/17/extortion_bo…
∗∗∗ Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin ∗∗∗
---------------------------------------------
On December 11, 2023, we added an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin to our Wordfence Intelligence Vulnerability Database. This vulnerability, which was originally reported by WPScan, allows an unauthenticated attacker to inject arbitrary JavaScript that will be executed whenever a user accesses an injected page.
---------------------------------------------
https://www.wordfence.com/blog/2024/01/website-takeover-campaign-takes-adva…
∗∗∗ Vorsicht vor versteckten Kosten auf prosperi.academy! ∗∗∗
---------------------------------------------
Investieren für alle zugänglich zu machen. So lautet die Mission der Prosperi Academy, die derzeit auf Facebook und Instagram kräftig die Werbetrommel rührt. Mit Hilfe der Prosperi Plattform sollen Interessierte die wichtigsten Begriffe und Regeln rund ums Investieren lernen und zusätzliche Einnahmequellen entdecken. Doch wer sich entscheidet, Prosperi zu testen, muss mit versteckten Kosten rechnen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-versteckten-kosten-auf-…
∗∗∗ Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 ∗∗∗
---------------------------------------------
Ivanti VPNs can be exploited by CVE-2023-46805 (High severity) and CVE-2024-21887 (Critical severity), chained together to run commands without authentication.
---------------------------------------------
https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-…
∗∗∗ The 7 deadly cloud security sins and how SMBs can do things better ∗∗∗
---------------------------------------------
By eliminating these mistakes and blind spots, your organization can take massive strides towards optimizing its use of cloud without exposing itself to cyber-risk
---------------------------------------------
https://www.welivesecurity.com/en/business-security/7-deadly-cloud-security…
∗∗∗ Countdown für die NIS2-Richtline läuft ∗∗∗
---------------------------------------------
Zahlreiche Unternehmen müssen die NIS2-Richtlinie umsetzen. EU-Direktive schreibt strenge Maßnahmen zur Gewährleistung der Cybersicherheit vor.
---------------------------------------------
https://www.zdnet.de/88413795/countdown-fuer-die-nis2-richtline-laeuft%e2%8…
∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
- CVE-2023-6549 Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
- CVE-2023-6548 Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability
- CVE-2024-0519 Google Chromium V8 Out-of-Bounds Memory Access Vulnerability
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/01/17/cisa-adds-three-known-ex…
∗∗∗ Static Code Analysis: Why Your Company’s Reputation Depends On It ∗∗∗
---------------------------------------------
Static application security testing (SAST) solutions provide organizations with peace of mind that their applications are secure. But SAST platforms differ from each other. A SAST tool that meets developers where they are can make AppSec team’s lives much easier, and significantly enhance the organization’s ability to defend itself from code vulnerabilities in the SDLC. This comprehensive guide covers all aspects of Static Application Security Testing, on your journey to choosing a SAST tool and vendor.
---------------------------------------------
https://checkmarx.com/appsec-knowledge-hub/sast/static-code-analysis-why-yo…
=====================
= Vulnerabilities =
=====================
∗∗∗ MOVEit Transfer Service Pack (January 2024) ∗∗∗
---------------------------------------------
This article contains the details of the specific updates within the MOVEit Transfer January 2024 Service Pack. The Service Pack contains fixes for (1) newly disclosed CVE described below. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully.
---------------------------------------------
https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-Janua…
∗∗∗ MOVEit Automation Service Pack (January 2024) ∗∗∗
---------------------------------------------
As of January 17, 2024, the MOVEit Automation Service Pack is available for download from the Progress Download Center at https://community.progress.com/s/products-list using your Progress ID credentials. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully.
---------------------------------------------
https://community.progress.com/s/article/MOVEit-Automation-Service-Pack-Jan…
∗∗∗ Google Chrome: Sicherheitslücke wird in freier Wildbahn ausgenutzt ∗∗∗
---------------------------------------------
Google aktualisiert den Webbrowser Chrome. Das Update schließt hochriskante Sicherheitslücken. Eine davon wird bereits missbraucht.
---------------------------------------------
https://www.heise.de/-9599575.html
∗∗∗ Critical Patch Update: Oracle veröffentlicht 389 Sicherheitsupdates ∗∗∗
---------------------------------------------
Oracle hat in seinem Quartalsupdate unter anderem Banking Enterprise, MySQL und Solaris gegen mögliche Angriffe abgesichert.
---------------------------------------------
https://www.heise.de/-9600083.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (zabbix), Gentoo (OpenJDK), Red Hat (kernel), Slackware (gnutls and xorg), SUSE (cloud-init, kernel, xorg-x11-server, and xwayland), and Ubuntu (freeimage, postgresql-10, and xorg-server, xwayland).
---------------------------------------------
https://lwn.net/Articles/958497/
∗∗∗ 2024-01-10: Cyber Security Advisory - AC500 V3 Multiple DoS vulnerabilities ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=3ADR011264&Language…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ K000138178 : Apache Tomcat vulnerability CVE-2023-42795 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138178
∗∗∗ K000138242 : OpenSSL vulnerability CVE-2023-5678 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138242
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 15-01-2024 18:00 − Dienstag 16-01-2024 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ A lightweight method to detect potential iOS malware ∗∗∗
---------------------------------------------
Analyzing Shutdown.log file as a lightweight method to detect indicators of infection with sophisticated iOS malware such as Pegasus, Reign and Predator.
---------------------------------------------
https://securelist.com/shutdown-log-lightweight-ios-malware-detection-metho…
∗∗∗ DORA: Noch ein Jahr bis zur vollständigen Einhaltung des neuen Rechtsrahmens ∗∗∗
---------------------------------------------
In einem Jahr, am 17. Januar 2025, wird die EU-Verordnung über die über die digitale operationale Resilienz im Finanzsektor (DORA) in Kraft treten.
---------------------------------------------
https://sec-consult.com/de/blog/detail/dora-noch-ein-jahr-bis-zur-vollstaen…
∗∗∗ Phemedrone-Infostealer umgeht Windows Defender Smartscreeen-Filter ∗∗∗
---------------------------------------------
Trend Micro hat den Phemedrone-Infostealer analysiert. Der schaffte es durch eine Lücke im Windows Defender Smartscreen-Filter auf Rechner.
---------------------------------------------
https://www.heise.de/news/Phemedrone-Infostealer-umgeht-Windows-Defender-Sm…
∗∗∗ Deepfake-Videos mit bekannten Gesichtern locken in Investmentfallen ∗∗∗
---------------------------------------------
Kriminelle greifen bei der Bewerbung betrügerischer Finanzangebote besonders tief in die Trickkiste. Website-Kopien von Zeitungen mit gefälschten Promi-Artikel kennen wir nur zu gut. Mittlerweile kommen aber auch zum Teil sehr professionelle Deep-Fake-Videos zum Einsatz. Darin erklären Ihnen bekannte Promis, Moderator:innen oder Politiker:innen, wie Sie mit einer „geheimen“ Plattform schnell reich werden.
---------------------------------------------
https://www.watchlist-internet.at/news/deepfake-videos-mit-bekannten-gesich…
∗∗∗ Vorsicht vor Kryptoscams, die in Wien auf der Straße liegen ∗∗∗
---------------------------------------------
Ein seltsamer Fund in der Nähe der Wiener Karlskirche legt nahe, dass Passanten derzeit mit gefälschten Paper-Wallets geködert werden
---------------------------------------------
https://www.derstandard.at/story/3000000203274/vorsicht-vor-kryptoscams-die…
∗∗∗ CISA and FBI Release Known IOCs Associated with Androxgh0st Malware ∗∗∗
---------------------------------------------
Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Known Indicators of Compromise Associated with Androxgh0st Malware, to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/01/16/cisa-and-fbi-release-kno…
∗∗∗ Ivanti Connect Secure VPN Exploitation Goes Global ∗∗∗
---------------------------------------------
Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files.
---------------------------------------------
https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploita…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sonicwall: Angreifer können über 178.000 Firewalls zum Absturz bringen ∗∗∗
---------------------------------------------
Die beiden Schwachstellen, über die der DoS-Angriff gelingt, sind eigentlich schon lange bekannt. Auch ein Exploit steht seit Monaten bereit.
---------------------------------------------
https://www.golem.de/news/sonicwall-angreifer-koennen-ueber-178-000-firewal…
∗∗∗ Cross-Site-Scripting in Monitoringsoftware PRTG erlaubt Sessionklau ∗∗∗
---------------------------------------------
Mit einem präparierten Link können Angreifer PRTG-Nutzer in die Irre führen und die Authentifizierung umgehen. Ein Update schafft Abhilfe.
---------------------------------------------
https://www.heise.de/news/Cross-Site-Scripting-in-Monitoringsoftware-PRTG-e…
∗∗∗ Atlassian: Updates zum Patchday schließen 28 hochriskante Schwachstellen ∗∗∗
---------------------------------------------
Atlassian veranstaltet einen Patchday und schließt dabei 28 Sicherheitslücken in diversen Programmen, die als hohes Risiko gelten.
---------------------------------------------
https://www.heise.de/news/Atlassian-Updates-zum-Patchday-schliessen-28-hoch…
∗∗∗ Kritische Sicherheitslücke: VMware vergaß Zugriffskontrollen in Aria Automation ∗∗∗
---------------------------------------------
Angreifer mit einem gültigen Konto können sich erweiterte Rechte verschaffen. VMWare bietet Patches an, Cloud-Kunden bleiben verschont.
---------------------------------------------
https://www.heise.de/news/Kritische-Sicherheitsluecke-VMware-vergass-Zugrif…
∗∗∗ Codeschmuggel in Juniper JunOS: Weltweit tausende Geräte betroffen ∗∗∗
---------------------------------------------
Ist auf einer Firewall der SRX-Serie oder einem Switch der EX-Reihe das Web-Management-Interface aktiviert, drohen Angriffe. Juniper hat Updates in petto.
---------------------------------------------
https://www.heise.de/news/Codeschmuggel-in-Juniper-JunOS-Weltweit-tausende-…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Gentoo (KTextEditor, libspf2, libuv, and Nettle), Mageia (hplip), Oracle (container-tools:4.0, gnutls, idm:DL1, squid, squid34, and virt:ol, virt-devel:rhel), Red Hat (.NET 6.0, krb5, python3, rsync, and sqlite), SUSE (chromium, perl-Spreadsheet-ParseXLSX, postgresql, postgresql15, postgresql16, and rubygem-actionpack-5_1), and Ubuntu (binutils, libspf2, libssh2, mysql-5.7, w3m, webkit2gtk, and xerces-c).
---------------------------------------------
https://lwn.net/Articles/958416/
∗∗∗ VU#132380: Vulnerabilities in EDK2 NetworkPkg IP stack implementation. ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/132380
∗∗∗ VU#302671: SMTP end-of-data uncertainty can be abused to spoof emails and bypass policies ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/302671
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ VMSA-2024-0001 - VMware Aria Automation (formerly vRealize Automation) update addresses a Missing Access Control vulnerability (CVE-2023-34063) ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2024-0001.html
∗∗∗ NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-ga…
∗∗∗ Citrix Session Recording Security Bulletin for CVE-2023-6184 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX583930/citrix-session-recording-secur…
∗∗∗ Citrix StoreFront Security Bulletin for CVE-2023-5914 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX583759/citrix-storefront-security-bul…
∗∗∗ SFPMonitor.sys KOOB Write vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-6340
∗∗∗ SEW-EURODRIVE MOVITOOLS MotionStudio ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01
∗∗∗ Integration Objects OPC UA Server Toolkit ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 12-01-2024 18:00 − Montag 15-01-2024 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ 2FA war wohl inaktiv: Aufarbeitung des Angriffs auf X-Konto der SEC gefordert ∗∗∗
---------------------------------------------
Die SEC hatte es wohl versäumt, die Zwei-Faktor-Authentifizierung ihres X-Accounts zu aktivieren. Einige US-Senatoren halten dies für "unentschuldbar".
---------------------------------------------
https://www.golem.de/news/2fa-war-wohl-inaktiv-aufarbeitung-des-angriffs-au…
∗∗∗ Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system. The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow [...]
---------------------------------------------
https://thehackernews.com/2024/01/opera-myflaw-bug-could-let-hackers-run.ht…
∗∗∗ Cybersecurity Alert - Self-Service Password Reset ∗∗∗
---------------------------------------------
Effective controls are essential to authenticate users who access your information systems. As configured by some organizations, applications or features that allow users to reset passwords themselves, do not securely authenticate users. If your organization uses, or is considering using, these features (commonly referred to as self-service password reset or SSPR), please review the information below.
---------------------------------------------
https://www.dfs.ny.gov/industry_guidance/industry_letters/il20240112_cyber_…
∗∗∗ Nvidia-Updates schließen kritische Sicherheitslücken in KI-Systemen ∗∗∗
---------------------------------------------
Nvidia hat aktualisierte Firmware für die KI-Systeme DGX A100 und H100 veröffentlicht. Sie dichtet kritische Sicherheitslecks ab.
---------------------------------------------
https://www.heise.de/-9597460.html
∗∗∗ Vorsicht vor gefälschten FinanzOnline-E-Mails ∗∗∗
---------------------------------------------
„Bitte überprüfen Sie Ihre Angaben zur zusätzlichen Verpflichtung“ lautet der Betreff eines betrügerischen E-Mails angeblich von FinanzOnline. Im Mail wird behauptet, dass sich in Ihrem Briefkasten ein Dokument befindet. Dieses können Sie über einen Link aufrufen. Wenn Sie auf den Link klicken, landen Sie auf einer gefälschten FinanzOnline-Login-Seite.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-finanzonli…
∗∗∗ Microsoft SharePoint Server: RCE-Schwachstelle CVE-2024-21318 patchen, und alte CVE-2023-29357 wird angegriffen ∗∗∗
---------------------------------------------
Noch ein Nachtrag vom Januar 2024-Patchday zu Microsoft SharePoint Server. Ich hatte in den Patchday-Artikeln die SharePoint Server RCE-Schwachstelle CVE-2024-21318 angesprochen. Diese wurde mit den Sicherheitsupdates vom 9. Januar 2023 geschlossen. Es gibt eine zweite, bereits im Juni 2023 geschlossene, Elevation of Privilege-Schwachstelle CVE-2023-29357, für die ein Exploit bekannt ist. Die US CISA hat eine Warnung veröffentlicht, weil inzwischen Angriffe auf die RCE-Schwachstelle beobachtet wurden.
---------------------------------------------
https://www.borncity.com/blog/2024/01/13/microsoft-sharepoint-server-rce-sc…
∗∗∗ Bitdefender findet Schwachstellen in Bosch BCC100-Thermostaten ∗∗∗
---------------------------------------------
Kleiner Nachtrag von dieser Woche, denn der Sicherheitsanbieter Bitdefender hat mich darüber informiert, dass Sicherheitsforscher in seinen Labs Schwachstellen in Bosch BCC100-Thermostaten gefunden haben. Hacker können solche intelligenten Thermostate über diese Schwachstellen unter ihre Kontrolle bringen und sich einen Zugriff auf Smart-Home-Netzwerke verschaffen.
---------------------------------------------
https://www.borncity.com/blog/2024/01/14/bitdefender-findet-schwachstellen-…
∗∗∗ Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating ∗∗∗
---------------------------------------------
In a recent engagement I had to deal with some custom encrypted strings inside an Android ARM64 app. I had a lot of fun reversing the app and in the process I learned a few cool new techniques which are discussed in this writeup. This is mostly a beginner guide which explains step-by-step how you [...]
---------------------------------------------
https://blog.nviso.eu/2024/01/15/deobfuscating-android-arm64-strings-with-g…
=====================
= Vulnerabilities =
=====================
∗∗∗ OpenSSL Security Advisory - Excessive time spent checking invalid RSA public keys (CVE-2023-6237) ∗∗∗
---------------------------------------------
Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service.
---------------------------------------------
https://www.openssl.org/news/secadv/20240115.txt
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (bind, cups, curl, firefox, ipa, iperf3, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, linux-firmware, open-vm-tools, openssh, postgresql, python, python3, squid, thunderbird, tigervnc, and xorg-x11-server), Fedora (chromium, python-flask-security-too, and tkimg), Gentoo (libgit2, Opera, QPDF, and zlib), Mageia (chromium-browser-stable, gnutls, openssh, packages, and vlc), Oracle (.NET 6.0, fence-agents, frr, ipa, kernel, nss, pixman, and tomcat), and SUSE (gstreamer-plugins-bad).
---------------------------------------------
https://lwn.net/Articles/958315/
∗∗∗ Mattermost security updates 9.2.4 / 9.1.5 / 8.1.8 (ESR) released ∗∗∗
---------------------------------------------
We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.2.4, 9.1.5, and 8.1.8 (Extended Support Release) for both Team Edition and Enterprise Edition.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-9-2-4-9-1-5-8-1-8-e…
∗∗∗ CVE-2024-0057 NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability ∗∗∗
---------------------------------------------
Revised the Security Updates table as follows: Added PowerShell 7.2, PowerShell 7.3, and PowerShell 7.4 because these versions of PowerShell 7 are affected by this vulnerability. See [https://github.com/PowerShell/Announcements/issues/72](https://github.com/P… for more information. Corrected Download and Article links for .NET Framework 3.5 and 4.8.1 installed on Windows 10 version 22H2.
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057
∗∗∗ ZDI-24-073: Paessler PRTG Network Monitor Cross-Site Scripting Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-24-073/
∗∗∗ ZDI-24-072: Synology RT6600ax Qualcomm LDB Service Improper Input Validation Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-24-072/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ K000138219 : libssh2 vulnerability CVE-2020-22218 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138219
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 11-01-2024 18:00 − Freitag 12-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Sicherheitsrisiko: So einfach können Handy-Nutzer heimlich verfolgt werden ∗∗∗
---------------------------------------------
Ein niederländischer Radiosender bekam 80 Gigabyte an Standortdaten von der Berliner Plattform Datarade in die Hände und konnte so etwa Offiziere beschatten.
---------------------------------------------
https://www.heise.de/-9596230.html
∗∗∗ Microsoft liefert Abhilfe zur Installation von Updates in WinRE-Partition ∗∗∗
---------------------------------------------
Am Januar-Patchday schlägt die Update-Intallation unter Windows 10 oft mit Fehler 0x80070643 fehl. Ein Microsoft-Skript soll helfen.
---------------------------------------------
https://www.heise.de/-9595312.html
∗∗∗ Jetzt patchen! Kritische Sicherheitslücke in GitLab ermöglicht Accountklau ∗∗∗
---------------------------------------------
Der Fehler wird bereits aktiv von Kriminellen ausgenutzt, Administratoren sollten zügig handeln und ihre GitLab-Instanzen aktualisieren oder abschotten.
---------------------------------------------
https://www.heise.de/-9595848.html
∗∗∗ Datenleck bei Halara: Persönliche Daten von 941.910 Kunden stehen wohl im Netz ∗∗∗
---------------------------------------------
Die Daten zahlreicher Halara-Kunden sind in einem Hackerforum aufgetaucht. Abgeflossen sein sollen sie über eine Schwachstelle in der Webseiten-API.
---------------------------------------------
https://www.golem.de/news/bekleidungshersteller-halara-kundendaten-in-hacke…
∗∗∗ New Balada Injector campaign infects 6,700 WordPress sites ∗∗∗
---------------------------------------------
A new Balada Injector campaign launched in mid-December has infected over 6,700 WordPress websites using a vulnerable version of the Popup Builder campaign.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-balada-injector-campaign…
∗∗∗ Over 150k WordPress sites at takeover risk via vulnerable plugin ∗∗∗
---------------------------------------------
Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at…
∗∗∗ One File, Two Payloads, (Fri, Jan 12th) ∗∗∗
---------------------------------------------
It has been a while since I discussed obfuscation techniques in malicious scripts. I found a VB script that pretends to be a PDF file. As usual, it was delivered through a phishing email with a zip archive. The filename is "rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs" (SHA256:6e6ecd38cc3c58c40daa4020b856550b1cbaf1dbc0fad517f7ca26d6e11a3d75[1])
---------------------------------------------
https://isc.sans.edu/diary/rss/30558
∗∗∗ Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. "This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier [...]
---------------------------------------------
https://thehackernews.com/2024/01/cryptominers-targeting-misconfigured.html
∗∗∗ Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families ∗∗∗
---------------------------------------------
As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said [...]
---------------------------------------------
https://thehackernews.com/2024/01/nation-state-actors-weaponize-ivanti.html
∗∗∗ Akira ransomware attackers are wiping NAS and tape backups ∗∗∗
---------------------------------------------
“The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year,” the Finnish National Cybersecurity Center (NCSC-FI) has shared on Wednesday. NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations.
---------------------------------------------
https://www.helpnetsecurity.com/2024/01/12/finland-akira-ransomware/
∗∗∗ Joomla! vulnerability is being actively exploited ∗∗∗
---------------------------------------------
A vulnerability in the popular Joomla! CMS has been added to CISAs known exploited vulnerabilities catalog.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2024/01/joomla-vulnerability-is-bein…
∗∗∗ An Introduction to AWS Security ∗∗∗
---------------------------------------------
Cloud providers are becoming a core part of IT infrastructure. Amazon Web Services (AWS), the worlds biggest cloud provider, is used by millions of organizations worldwide and is commonly used to run sensitive and mission-critical workloads. This makes it critical for IT and security professionals to understand the basics of AWS security and take measures to protect their data and workloads.
---------------------------------------------
https://www.tripwire.com/state-of-security/introduction-aws-security
∗∗∗ Financial Fraud APK Campaign ∗∗∗
---------------------------------------------
Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-apks-steal-pii-from-chinese-u…
∗∗∗ CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign ∗∗∗
---------------------------------------------
This blog delves into the Phemedrone Stealer campaigns exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malwares payload.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for…
=====================
= Vulnerabilities =
=====================
∗∗∗ Pufferüberlauf und andere Sicherheitslücken in IBM Business Automation Workflow ∗∗∗
---------------------------------------------
Angreifer können Code einschleusen, Komponenten zum Stillstand bringen und geheime Informationen abgreifen. IBM informiert Kunden über Gegenmaßnahmen.
---------------------------------------------
https://www.heise.de/-9596204.html
∗∗∗ Splunk, cacti, checkmk: Sicherheitslücken in Monitoring-Software ∗∗∗
---------------------------------------------
In drei beliebten Monitoring-Produkten gibt es Sicherheitsprobleme. Admins sollten sich um Updates kümmern.
---------------------------------------------
https://www.heise.de/-9595021.html
∗∗∗ Bluetooth-Lücke: Apple sichert Tastaturen mit neuer Firmware ab ∗∗∗
---------------------------------------------
Aufgrund eines Bugs war es möglich, Bluetooth-Datenverkehr mitzuzeichnen. Allerdings brauchte der Angreifer physischen Zugriff auf die Tastatur.
---------------------------------------------
https://www.heise.de/-9595522.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c).
---------------------------------------------
https://lwn.net/Articles/958124/
∗∗∗ Security Bulletin for Trend Micro Apex Central ∗∗∗
---------------------------------------------
https://success.trendmicro.com/dcx/s/solution/000296153?language=en_US
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 10-01-2024 18:00 − Donnerstag 11-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Atomic Stealer rings in the new year with updated version ∗∗∗
---------------------------------------------
Mac users should be aware of an active distribution campaign via malicious ads delivering Atomic Stealer. The latest iteration of the malware is stealthy thanks to added encryption and obfuscation of its code.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-steale…
∗∗∗ SECGlitcher (Part 1) - Reproducible Voltage Glitching on STM32 Microcontrollers ∗∗∗
---------------------------------------------
Voltage glitching is a technique used in hardware security testing to try to bypass or modify the normal operation of a device by injecting a glitch.
---------------------------------------------
https://sec-consult.com/blog/detail/secglitcher-part-1-reproducible-voltage…
∗∗∗ Achtung Nachahmer: Gefahren durch gefälschte Messaging-Apps und App-Mods ∗∗∗
---------------------------------------------
Klone und Mods von WhatsApp, Telegram und Signal sind nach wie vor ein beliebtes Mittel zur Verbreitung von Malware. Lassen Sie sich nicht für dumm verkaufen.
---------------------------------------------
https://www.welivesecurity.com/de/mobile-sicherheit/achtung-nachahmer-gefah…
∗∗∗ Vorsicht vor Promi-Klonen auf Social Media: So täuschen Kriminelle treue Fans ∗∗∗
---------------------------------------------
Christina Stürmer, Hubert von Goisern oder Christopher Seiler: Das sind nur 3 von zahlreichen österreichischen Prominenten, die auf Facebook und Instagram vertreten sind -allerdings nicht nur mit einem einzigen Profil. Denn Kriminelle erstellen Fake-Profile, auf denen sie sich als diese Stars ausgeben, um den treuen Fans das Geld aus der Tasche zu ziehen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-promi-klonen-auf-social…
∗∗∗ Medusa Ransomware Turning Your Files into Stone ∗∗∗
---------------------------------------------
Medusa ransomware gang has not only escalated activities but launched a leak site. We also analyze new TTPS encountered in an incident response case.
---------------------------------------------
https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-s…
=====================
= Vulnerabilities =
=====================
∗∗∗ Kein Patch verfügbar: Ivanti Connect Secure und Policy Secure sind angreifbar ∗∗∗
---------------------------------------------
In Ivanti Connect Secure und Policy Secure klaffen aktiv ausgenutzte Sicherheitslücken. Patches gibt es bisher nicht - nur einen Workaround.
---------------------------------------------
https://www.golem.de/news/kein-patch-verfuegbar-ivanti-connect-secure-und-p…
∗∗∗ Zoho ManageEngine: Codeschmuggel in ADSelfService Plus möglich ∗∗∗
---------------------------------------------
In Zoho ManageEngine ADSelfService Plus klafft eine kritische Sicherheitslücke. Angreifer können dadurch Schadcode einschleusen.
---------------------------------------------
https://www.heise.de/news/Zoho-ManageEngine-Codeschmuggel-in-ADSelfService-…
∗∗∗ Sicherheitspatch: API-Fehler in Cisco Unity Connection macht Angreifer zum Root ∗∗∗
---------------------------------------------
Verschiedene Netzwerkprodukte von Cisco sind verwundbar. Eine Lücke gilt als kritisch.
---------------------------------------------
https://www.heise.de/news/Sicherheitspatch-API-Fehler-in-Cisco-Unity-Connec…
∗∗∗ BIOS-Sicherheitsupdates von Dell und Lenovo ∗∗∗
---------------------------------------------
Dell stellt aktualisierte BIOS-Versionen für einige Geräte bereit. AMI schließt mehrere Sicherheitslücken, Lenovo reicht diese durch.
---------------------------------------------
https://www.heise.de/news/BIOS-Sicherheitsupdates-von-Dell-und-Lenovo-95940…
∗∗∗ Sicherheitspatch: IBM Security Verify für Root-Attacken anfällig ∗∗∗
---------------------------------------------
Die Entwickler haben in IBMs Zugriffsmanagementlösung Security Verify mehrere Sicherheitslücken geschlossen.
---------------------------------------------
https://www.heise.de/news/Sicherheitspatch-IBM-Security-Verify-fuer-Root-At…
∗∗∗ Juniper Networks bessert zahlreiche Schwachstellen aus ∗∗∗
---------------------------------------------
Juniper Networks hat 27 Sicherheitsmitteilungen veröffentlicht. Sie betreffen Junos OS, Junos OS Evolved und diverse Hardware.
---------------------------------------------
https://www.heise.de/news/Juniper-Networks-bessert-zahlreiche-Schwachstelle…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium), Fedora (chromium, python-paramiko, tigervnc, and xorg-x11-server), Oracle (ipa, libxml2, python-urllib3, python3, and squid), Red Hat (.NET 6.0, .NET 7.0, .NET 8.0, container-tools:4.0, fence-agents, frr, gnutls, idm:DL1, ipa, kernel, kernel-rt, libarchive, libxml2, nss, openssl, pixman, python-urllib3, python3, tigervnc, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (gstreamer-plugins-bad), and Ubuntu (firefox, Go, linux-aws, [...]
---------------------------------------------
https://lwn.net/Articles/958029/
∗∗∗ Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN ∗∗∗
---------------------------------------------
Volexity analyzed one of the collected memory samples and uncovered the exploit chain used by the attacker. Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE).
---------------------------------------------
https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-da…
∗∗∗ Cisco TelePresence Management Suite Cross-Site Scripting Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Apache ActiveMQ OpenWire Protocol Class Type Manipulation Arbitrary Code Execution Vulnerability affects Atos Unify OpenScape UC and Atos Unify Common Management Platform ∗∗∗
---------------------------------------------
https://networks.unify.com/security/advisories/OBSO-2401-02.pdf
∗∗∗ ZDI Security Advisories ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/published/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Rapid Software LLC Rapid SCADA ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03
∗∗∗ Horner Automation Cscape ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-04
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 09-01-2024 18:00 − Mittwoch 10-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Absenderdaten entschlüsselt: China hat wohl Apples Airdrop-Protokoll "geknackt" ∗∗∗
---------------------------------------------
Forensikern aus Peking ist es angeblich gelungen, Telefonnummern und E-Mail-Adressen von Airdrop-Absendern zu entschlüsseln.
---------------------------------------------
https://www.golem.de/news/absenderdaten-entschluesselt-china-hat-wohl-apple…
∗∗∗ Jenkins Brute Force Scans, (Tue, Jan 9th) ∗∗∗
---------------------------------------------
Our honeypots saw a number of scans for "/j_acegi_security_check" the last two days. This URL has not been hit much lately, but was hit pretty hard last March. The URL is associated with Jenkins, and can be used to brute force passwords.
---------------------------------------------
https://isc.sans.edu/diary/rss/30546
∗∗∗ Vorgaben der CISA: Mehr Sicherheit für die Microsoft-Cloud ∗∗∗
---------------------------------------------
Die Security-Vorgaben der CISA für die Microsoft-Cloud sind fertig. Wir zeigen, was hinter den Empfehlungen steckt und wo sie sich von MS und CIS unterscheiden.
---------------------------------------------
https://www.heise.de/-9591800.html
∗∗∗ Patchday Microsoft: Kerberos-Authentifizierung unter Windows verwundbar ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für Azure, Office, Windows und Co. erschienen. Attacken können bevorstehen. Ein Bitlocker-Patch macht Probleme.
---------------------------------------------
https://www.heise.de/-9592648.html
∗∗∗ Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin ∗∗∗
---------------------------------------------
On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view [...]
---------------------------------------------
https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabi…
∗∗∗ Siemens, Schneider Electric Release First ICS Patch Tuesday Advisories of 2024 ∗∗∗
---------------------------------------------
Industrial giants Siemens and Schneider Electric publish a total of 7 new security advisories addressing 22 vulnerabilities.
---------------------------------------------
https://www.securityweek.com/siemens-schneider-electric-release-first-ics-p…
∗∗∗ Achtung: Vermehrt PayLife Phishing-Mails im Umlauf ∗∗∗
---------------------------------------------
Schützen Sie Ihre Kreditkartendaten und nehmen Sie sich vor Phishing-Mails im Namen von PayLife in Acht. Kriminelle behaupten in den E-Mails, dass Sie aufgrund der Verpflichtung zur Zwei-Faktor-Authentifizierung Schritte setzen und einem Link folgen müssen. Sie landen auf einer kaum als Fälschung erkennbaren Kopie der PayLife-Seite. Geben Sie dort keine Daten ein!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-vermehrt-paylife-phishing-ma…
∗∗∗ ‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer ∗∗∗
---------------------------------------------
A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday. Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors.
---------------------------------------------
https://therecord.media/mirai-based-botnet-spreading-akamai
∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗
---------------------------------------------
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-expl…
∗∗∗ Apache Applications Targeted by Stealthy Attacker ∗∗∗
---------------------------------------------
Researchers at Aqua Nautilus have uncovered a new attack targeting Apache Hadoop and Flink applications. This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware. The simplicity with which these techniques are employed presents a significant challenge to traditional security defenses.
---------------------------------------------
https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-steal…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Security Advisories 2024-01-10 ∗∗∗
---------------------------------------------
Security Impact Rating: 1x Critical, 6x Medium
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs…
∗∗∗ Lenovo Security Advisories 2024-01-09 ∗∗∗
---------------------------------------------
- AMI MegaRAC Vulnerabilities
- Lenovo XClarity Administrator (LXCA) Vulnerability
- Lenovo Vantage Vulnerabilities
- Lenovo Tablet Vulnerabilities
- TianoCore EDK II BIOS Vulnerabilities
---------------------------------------------
https://support.lenovo.com/at/en/product_security/home
∗∗∗ Patchday Adobe: Mehrere Schwachstellen in Substance 3D Stager geschlossen ∗∗∗
---------------------------------------------
Adobes Anwendung zum Erstellen von 3D-Szenen Substance 3D Stager ist angreifbar. Eine fehlerbereinigte Version steht zum Download bereit.
---------------------------------------------
https://www.heise.de/-9592712.html
∗∗∗ Update für Google Chrome: Hochriskantes Sicherheitsleck abgedichtet ∗∗∗
---------------------------------------------
Google hat turnusgemäß den Webbrowser Chrome aktualisiert. Dabei haben die Entwickler eine als hohes Risiko eingestufte Sicherheitslücke gestopft.
---------------------------------------------
https://www.heise.de/-9592658.html
∗∗∗ Update gegen Rechteausweitung in FortiOS und FortiProxy ∗∗∗
---------------------------------------------
Fortinet warnt vor einem Fehler in der Rechteverwaltung von FortiOS und FortiProxy in HA Clustern. Bösartige Akteure können ihre Rechte ausweiten.
---------------------------------------------
https://www.heise.de/-9592816.html
∗∗∗ Webkonferenzen: Zoom-Sicherheitslücken ermöglichen Rechteausweitung ∗∗∗
---------------------------------------------
Zoom verteilt aktualisierte Videokonferenz-Software. Sie schließt eine Sicherheitslücke, durch die Angreifer ihre Rechte ausweiten können.
---------------------------------------------
https://www.heise.de/-9593000.html
∗∗∗ 2022-01 Security Bulletin: Junos OS Evolved: Telnet service may be enabled when it is expected to be disabled. (CVE-2022-22164) ∗∗∗
---------------------------------------------
Modification History
2022-01-12: Initial Publication
2024-01-10: updated the JSA with information on an additional PR which fixed some releases which were not completely fixed originally
---------------------------------------------
https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (libssh), Gentoo (FAAD2 and RedCloth), Red Hat (kpatch-patch and nss), SUSE (hawk2, LibreOffice, opera, and tar), and Ubuntu (glibc, golang-1.13, golang-1.16, linux-azure, linux-gkeop, monit, and postgresql-9.5).
---------------------------------------------
https://lwn.net/Articles/957340/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ SVD-2024-0104: Splunk User Behavior Analytics (UBA) Third-Party Package Updates ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-0104
∗∗∗ SVD-2024-0103: Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-0103
∗∗∗ SVD-2024-0102: Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creation ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-0102
∗∗∗ SVD-2024-0101: Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-0101
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 08-01-2024 18:00 − Dienstag 09-01-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware ∗∗∗
---------------------------------------------
A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023.
---------------------------------------------
https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html
∗∗∗ Skrupel nur vorgeschoben? Ransomware-Banden attackieren Kliniken ∗∗∗
---------------------------------------------
Zwar zürnt der Lockbit-Betreiber öffentlich mit einem Handlanger, ist sich dennoch für Krankenhaus-Erpressung nicht zu schade. Andere bedrohen gar Patienten.
---------------------------------------------
https://www.heise.de/news/Skrupel-nur-vorgeschoben-Ransomware-Banden-attack…
∗∗∗ Vorsicht vor Phishing-Mails im Namen der KingBill GmbH ∗∗∗
---------------------------------------------
In einem gefälschten E-Mail im Namen der „KingBill GmbH“ werden Sie gebeten, Ihre offenen Zahlungen an KingBill zu sperren. Angeblich werden ausstehende Rechnungen nun auf eine Nebenkontoverbindung verrechnet. Sie werden aufgefordert, umgehend auf das E-Mail zu antworten. Bei diesem E-Mail handelt es sich aber um Betrug, um Ihnen Geld zu stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-phishing-mails-im-namen…
∗∗∗ Roles allowing to abuse Entra ID federation for persistence and privilege escalation ∗∗∗
---------------------------------------------
Microsoft Entra ID (formerly known as Azure AD) allows delegation of authentication to another identity provider through the legitimate federation feature. However, attackers with elevated privileges can abuse this feature, leading to persistence and privilege escalation.
---------------------------------------------
https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federa…
∗∗∗ New decryptor for Babuk Tortilla ransomware variant released ∗∗∗
---------------------------------------------
Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.
---------------------------------------------
https://blog.talosintelligence.com/decryptor-babuk-tortilla/
=====================
= Vulnerabilities =
=====================
∗∗∗ SAP-Patchday: Teils kritische Lücken in Geschäftssoftware ∗∗∗
---------------------------------------------
Der Januar-Patchday von SAP behandelt teils kritische Sicherheitslücken. Zu insgesamt zehn Schwachstellen gibt es Sicherheitsnotizen.
---------------------------------------------
https://www.heise.de/news/SAP-Patchday-Teils-kritische-Luecken-in-Geschaeft…
∗∗∗ Synology warnt vor Sicherheitslücke im DSM-Betriebssystem ∗∗∗
---------------------------------------------
Synology gibt eine Warnung vor einer Sicherheitslücke im DSM-Betriebssystem für NAS-Systeme heraus. Updates stehen länger bereit.
---------------------------------------------
https://www.heise.de/news/Synology-warnt-vor-Sicherheitsluecke-im-DSM-Betri…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (squid), Fedora (podman), Mageia (dropbear), SUSE (eclipse-jgit, jsch, gcc13, helm3, opusfile, qt6-base, thunderbird, and wireshark), and Ubuntu (clamav, libclamunrar, and qemu).
---------------------------------------------
https://lwn.net/Articles/957236/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ SSA-794653 V1.0: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-794653.html
∗∗∗ SSA-786191 V1.0: Local Privilege Escalation Vulnerability in Spectrum Power 7 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-786191.html
∗∗∗ SSA-777015 V1.0: Multiple Vulnerabilities in SIMATIC CN 4100 before V2.7 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-777015.html
∗∗∗ SSA-702935 V1.0: Redfish Server Vulnerability in maxView Storage Manager ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-702935.html
∗∗∗ SSA-589891 V1.0: Multiple PAR File Parsing Vulnerabilities in Solid Edge ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-589891.html
∗∗∗ SSA-583634 V1.0: Command Injection Vulnerability in the CPCI85 Firmware of SICAM A8000 Devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-583634.html
∗∗∗ Open Port 8899 in BCC Thermostat Product ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-473852.html
∗∗∗ CVE-2023-48795 Impact of Terrapin SSH Attack (Severity: NONE) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-48795
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 05-01-2024 18:00 − Montag 08-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Post-Quanten-Kryptografie: Verschlüsselungsverfahren Kyber birgt Schwachstellen ∗∗∗
---------------------------------------------
Durch die Messung der für bestimmte Divisionsoperationen benötigten Rechenzeit lassen sich wohl geheime Kyber-Schlüssel rekonstruieren.
---------------------------------------------
https://www.golem.de/news/post-quanten-kryptografie-verschluesselungsverfah…
∗∗∗ Suspicious Prometei Botnet Activity, (Sun, Jan 7th) ∗∗∗
---------------------------------------------
On the 31 Dec 2023, after trying multiple username/password combination, actor using IP 194.30.53.68 successfully loging to the honeypot and uploaded eight files where 2 of them are protected with a 7zip password (updates1.7z & updates2.7z). Some of these files have been identified to be related to the Prometei trojan by Virustotal.
---------------------------------------------
https://isc.sans.edu/diary/rss/30538
∗∗∗ Bypass Cognito Account Enumeration Controls ∗∗∗
---------------------------------------------
Amazon Cognito is a popular “sign-in as a service” offering from AWS. It allows developers to push the responsibility of developing authentication, sign up, and secure credential storage to AWS so they can instead focus on building their app. [..] This bypass was originally reported via a GitHub issue in July 2020 and Cognito is still vulnerable as of early 2024.
---------------------------------------------
https://hackingthe.cloud/aws/enumeration/bypass_cognito_user_enumeration_co…
∗∗∗ Jetzt patchen! Attacken auf Messaging-Plattform Apache RocketMQ ∗∗∗
---------------------------------------------
Sicherheitsforscher beobachten zurzeit Angriffsversuche auf die Messaging- und Streaming-Plattform Apache RocketMQ. Sicherheitsupdates sind bereits seit Mai 2023 verfügbar.
---------------------------------------------
https://www.heise.de/-9590555
∗∗∗ Sicherheitsupdates: Schadcode- und DoS-Attacken auf Qnap NAS möglich ∗∗∗
---------------------------------------------
Angreifer können Netzwerkspeicher von Qnap ins Visier nehmen. Sicherheitspatches schaffen Abhilfe.
---------------------------------------------
https://www.heise.de/-9589870
∗∗∗ Die OAuth-Hintertür: Google wiegelt ab ∗∗∗
---------------------------------------------
Der Suchmaschinenriese Google sieht keine Sicherheitslücke in der durch Kriminelle ausgenutzten Schnittstelle, sie funktioniere wie vorgesehen.
---------------------------------------------
https://www.heise.de/-9589840
∗∗∗ NIST: No Silver Bullet Against Adversarial Machine Learning Attacks ∗∗∗
---------------------------------------------
NIST has published a report on adversarial machine learning attacks and mitigations, and cautioned that there is no silver bullet for these types of threats.
---------------------------------------------
https://www.securityweek.com/nist-no-silver-bullet-against-adversarial-mach…
∗∗∗ Werbung für verlorene Pakete der Post für € 1,95 ist Betrug ∗∗∗
---------------------------------------------
Auf Facebook und im Facebook Messenger kursiert eine Werbung, die verloren gegangene Pakete der Post um € 1,95 verspricht. Die Werbung vermittelt den Eindruck, dass Angebot käme von der Post selbst. In den Paketen befinden sich angeblich hochpreisige Elektronikprodukte wie Laptops, Spielkonsolen oder Smartwatches. Dabei handelt es sich aber um eine betrügerische Werbung, die nichts mit der Österreichischen Post zu tun hat!
---------------------------------------------
https://www.watchlist-internet.at/news/werbung-fuer-verlorene-pakete-der-po…
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices ∗∗∗
---------------------------------------------
Pentagrid identified several vulnerabilities in Lantronixs EDS-MD product during a penetration test. The EDS-MD is an IoT gateway for medical devices and equipment. The vulnerabilities include an authenticated command injection, cross-site request forgery, missing authentication for the AES-encrypted communication, cross-site scripting vulnerabilities, outdated software components, and more.
---------------------------------------------
https://www.pentagrid.ch/en/blog/multiple-vulnerabilties-in-lantronix-eds-m…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (exim4), Fedora (chromium, perl-Spreadsheet-ParseExcel, python-aiohttp, python-pysqueezebox, and tinyxml), Gentoo (Apache Batik, Eclipse Mosquitto, firefox, R, Synapse, and util-linux), Mageia (libssh2 and putty), Red Hat (squid), SUSE (libxkbcommon), and Ubuntu (gnutls28).
---------------------------------------------
https://lwn.net/Articles/957146/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Qt: Security advisory: Potential Integer Overflow in Qts HTTP2 implementation ∗∗∗
---------------------------------------------
https://www.qt.io/blog/security-advisory-potential-integer-overflow-in-qts-…
∗∗∗ BOSCH-SA-711465: Multiple vulnerabilities in Nexo cordless nutrunner ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-711465.html
∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/01/08/cisa-adds-six-known-expl…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 04-01-2024 18:00 − Freitag 05-01-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Kritische Schadcode-Lücke gefährdet Ivanti Endpoint Manager ∗∗∗
---------------------------------------------
Unter bestimmten Voraussetzungen können Angreifer Schadcode auf Ivanti-EPM-Servern ausführen.
---------------------------------------------
https://www.heise.de/-9587991.html
∗∗∗ Ransomware: Nach der Erpressung folgt umgehend die nächste Erpressung ∗∗∗
---------------------------------------------
Online-Kriminelle werden immer dreister und schlachten Opfer von Erpressungstrojanern gleich mehrfach aus.
---------------------------------------------
https://www.heise.de/-9588424.html
∗∗∗ Fitness-App „Mad Muscles“: Kostenfalle statt Unterstützung bei Neujahrsvorsätzen ∗∗∗
---------------------------------------------
Der unseriöse Anbieter „Mad Muscles“ schaltet derzeit massiv Werbung auf Facebook und Instagram. Die Botschaft? „Building muscle isnt as hard as it sounds!“ („Muskelaufbau ist nicht so schwer, wie es klingt!“) - gerade zum Jahreswechsel sind solche Botschaften beliebt, sollen die Angebote doch dabei helfen, Neujahrsvorsätze einzuhalten. Was die Werbung verschweigt: Die Betreiber:innen von madmuscles.com und der dazugehörigen „Mad Muscle App“ machen Informationen zum Unternehmen genauso wenig transparent wie die Gesamtkosten. Hinzu kommt: Kündigungen werden laut Erfahrungsberichten erschwert.
---------------------------------------------
https://www.watchlist-internet.at/news/fitness-app-mad-muscles-kostenfalle-…
∗∗∗ The source code of Zeppelin Ransomware sold on a hacking forum ∗∗∗
---------------------------------------------
Researchers from cybersecurity firm KELA reported that a threat actor announced on a cybercrime forum the sale of the source code and a cracked version of the Zeppelin ransomware builder for $500.
---------------------------------------------
https://securityaffairs.com/156974/cyber-crime/zeppelin-ransomware-source-c…
∗∗∗ New Bandook RAT Variant Resurfaces, Targeting Windows Machines ∗∗∗
---------------------------------------------
A new variant of remote access trojan called Bandook has been observed being propagated via phishing attacks with an aim to infiltrate Windows machines, underscoring the continuous evolution of the malware. Fortinet FortiGuard Labs, which identified the activity in October 2023, said the malware is distributed via a PDF file that embeds a link to a password-protected .7z archive.“
---------------------------------------------
https://thehackernews.com/2024/01/new-bandook-rat-variant-resurfaces.html
∗∗∗ SpectralBlur: New macOS Backdoor Threat from North Korean Hackers ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. “SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [...]
---------------------------------------------
https://thehackernews.com/2024/01/spectralblur-new-macos-backdoor-threat.ht…
∗∗∗ Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer ∗∗∗
---------------------------------------------
Using extractors written in Python, we detail our system for extracting internal malware configurations from memory dumps. GuLoader and RedLine Stealer are our examples.
---------------------------------------------
https://unit42.paloaltonetworks.com/malware-configuration-extraction-techni…
=====================
= Vulnerabilities =
=====================
∗∗∗ Inductive Automation Trust Center Updates ∗∗∗
---------------------------------------------
Inductive Automation offers a special thanks to the following security researchers from Trend Micro Zero Day Initiative, Star Labs, Incite Team, and Claroty Research Team82 for their hard work in finding and responsibly disclosing security vulnerabilities described in this tech advisory. All reported issues have been resolved as of Ignition 8.1.35. Inductive Automation recommends upgrading Ignition to the current version to address known vulnerabilities.
---------------------------------------------
https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-69…
∗∗∗ QNAP Security Advisories ∗∗∗
---------------------------------------------
- Vulnerability in QcalAgent
- Multiple Vulnerabilities in QTS and QuTS hero
- Multiple Vulnerabilities in QuMagie
- Multiple Vulnerabilities in Video Station
- Vulnerability in Netatalk
---------------------------------------------
https://www.qnap.com/en-us/security-advisories
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (asterisk, chromium, exim4, netatalk, and tomcat9), Fedora (chromium), Gentoo (BlueZ, c-ares, CUPS filters, RDoc, and WebKitGTK+), Oracle (firefox, squid:4, thunderbird, and tigervnc), SUSE (python-aiohttp and python-paramiko), and Ubuntu (linux-intel-iotg).
---------------------------------------------
https://lwn.net/Articles/957005/
∗∗∗ Security Update for Ivanti EPM ∗∗∗
---------------------------------------------
[...] We are reporting this vulnerability as CVE-2023-39366. We have no indication that customers have been impacted by this vulnerability.
This vulnerability impacts all supported versions of the product, and the issue has been resolved in Ivanti EPM 2022 Service Update 5.
If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication.
---------------------------------------------
https://www.ivanti.com/blog/security-update-for-ivanti-epm
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-01-2024 18:00 − Donnerstag 04-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Mandiant’s account on X hacked to push cryptocurrency scam ∗∗∗
---------------------------------------------
The Twitter account of American cybersecurity firm and Google subsidiary Mandiant was hijacked earlier today to impersonate the Phantom crypto wallet and share a cryptocurrency scam.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mandiants-account-on-x-hacke…
∗∗∗ UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT ∗∗∗
---------------------------------------------
The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software. [..] "Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems," the researchers said.
---------------------------------------------
https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html
∗∗∗ Three Ways To Supercharge Your Software Supply Chain Security ∗∗∗
---------------------------------------------
If you make software and ever hope to sell it to one or more federal agencies, you have to pay attention to this. Even if you never plan to sell to a government, understanding your Software Supply Chain and learning how to secure it will pay dividends in a stronger security footing and the benefits it provides.
---------------------------------------------
https://thehackernews.com/2024/01/three-ways-to-supercharge-your-software.h…
∗∗∗ Internetstörungen in Spanien: Orange-Konto bei RIPE geknackt ∗∗∗
---------------------------------------------
Im spanischen Internet kam es zu Störungen. Das Konto des Anbieters Orange bei RIPE wurde geknackt, die Angreifer haben Routen umgelenkt. [..] Durch ein schwaches Passwort ("ripeadmin") und den Verzicht auf Zwei-Faktor-Authentifizierung hatte der Angreifer leichtes Spiel. [..] Eine Antwort auf eine Anfrage beim RIPE NCC zu weiteren betroffenen oder gefährdeten Accounts und zu einer möglichen Verpflichtung, RIPE Accounts künftig zwingend mit Zwei-Faktor-Authentifizierung zu schützen, steht noch aus. Orange Spanien ist mit einem blauen Auge davongekommen; offenbar ging es dem Angreifer nur darum, den Provider bloßzustellen.
---------------------------------------------
https://www.heise.de/-9587184
∗∗∗ Terrapin-Attacke: Millionen SSH-Server angreifbar, Risiko trotzdem überschaubar ∗∗∗
---------------------------------------------
Zwar ist mehr als die Hälfte aller im Internet erreichbaren SSH-Server betroffen, Admins können jedoch aufatmen: Ein erfolgreicher Angriff ist schwierig.
---------------------------------------------
https://www.heise.de/-9587473
∗∗∗ Beyond Protocols: How Team Camaraderie Fortifies Security ∗∗∗
---------------------------------------------
The most efficient and effective teams have healthy and constructive cultures that encourage team members to go above and beyond the call of duty.
---------------------------------------------
https://www.securityweek.com/beyond-protocols-how-team-camaraderie-fortifie…
∗∗∗ „Sofortiges Handeln erforderlich“: Massenhaft Phishing-Mails im Namen von A1 im Umlauf ∗∗∗
---------------------------------------------
Zahlreiche Konsument:innen wenden sich aktuell mit gefälschten E-Mails im Namen von A1 an die Watchlist Internet. Im E-Mail wird behauptet, dass „ungewöhnliche Verbindungen“ festgestellt wurden und daher „Ihre sofortige Aufmerksamkeit“ notwendig ist, „um die Sicherheit Ihres Kontos zu gewährleisten“. Gleichzeitig wird mit der Sperre des Kontos gedroht. Wir können entwarnen: Es handelt sich um Betrug.
---------------------------------------------
https://www.watchlist-internet.at/news/sofortiges-handeln-erforderlich-mass…
∗∗∗ CVE-2022-1471: SnakeYAML Deserialization Deep Dive ∗∗∗
---------------------------------------------
Get an overview of SnakeYAML deserialization vulnerabilities (CVE-2022-1471) - how it works, why it works, and what it affects.
---------------------------------------------
https://www.greynoise.io/blog/cve-2022-1471-snakeyaml-deserialization-deep-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Update für Google Chrome schließt sechs Sicherheitslücken ∗∗∗
---------------------------------------------
Google hat aktualisierte Chrome-Versionen herausgegeben. Sie schließen sechs Sicherheitslücken, davon mehrere mit hohem Risiko.
---------------------------------------------
https://www.heise.de/-9586697
∗∗∗ Patchday Android: Angreifer können sich höhere Rechte erschleichen ∗∗∗
---------------------------------------------
Android-Geräte sind für Attacken anfällig. Google, Samsung & Co. stellen Sicherheitsupdates bereit.
---------------------------------------------
https://www.heise.de/-9586713
∗∗∗ Netzwerkanalysetool Wireshark gegen mögliche Attacken abgesichert ∗∗∗
---------------------------------------------
Die Wireshark-Entwickler haben in aktuellen Versionen mehrere Sicherheitslücken geschlossen.
---------------------------------------------
https://www.heise.de/-9587170
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Oracle (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), Red Hat (squid:4), SUSE (exim, libcryptopp, and proftpd), and Ubuntu (openssh and sqlite3).
---------------------------------------------
https://lwn.net/Articles/956855/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-02
∗∗∗ Rockwell Automation FactoryTalk Activation ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-01-2024 18:00 − Mittwoch 03-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Leaksmas: Auch Cyberkriminelle haben sich zu Weihnachten beschenkt ∗∗∗
---------------------------------------------
Rund um Weihnachten wurden im Darknet mehr als 50 Millionen neue Datensätze aus verschiedenen Quellen veröffentlicht. Der Zeitpunkt war kein Zufall. Cyberkriminelle haben die Weihnachtszeit offenbar genutzt, um sich gegenseitig mit umfangreichen und von verschiedenen Unternehmen und Behörden erbeuteten Datensätzen zu beschenken.
---------------------------------------------
https://www.golem.de/news/leaksmas-auch-cyberkriminelle-haben-sich-zu-weihn…
∗∗∗ Google-Konten in Gefahr: Exploit erlaubt böswilligen Zugriff trotz Passwort-Reset ∗∗∗
---------------------------------------------
Durch eine Schwachstelle in einem OAuth-Endpunkt können sich Cyberkriminelle dauerhaft Zugriff auf das Google-Konto einer Zielperson verschaffen. [..] Eine offizielle Stellungnahme zum Missbrauch des Multilogin-Endpunkts gibt es seitens Google wohl noch nicht. Dass dem Unternehmen das Problem bekannt ist, ist angesichts der Abhilfemaßnahmen aber anzunehmen.
---------------------------------------------
https://www.golem.de/news/google-konten-in-gefahr-exploit-erlaubt-boeswilli…
∗∗∗ Interesting large and small malspam attachments from 2023, (Wed, Jan 3rd) ∗∗∗
---------------------------------------------
At the end of a year, or at the beginning of a new one, I like to go over all malicious attachments that were caught in my e-mail trap over the last 12 months, since this can provide a good overview of long-term malspam trends and may sometimes lead to other interesting discoveries.
---------------------------------------------
https://isc.sans.edu/diary/rss/30524
∗∗∗ Don’t trust links with known domains: BMW affected by redirect vulnerability ∗∗∗
---------------------------------------------
Cybernews researchers have discovered two BMW subdomains that were vulnerable to SAP redirect vulnerability. They were used to access the internal workplace systems for BMW dealers and could have been useful to attackers for spear-phishing campaigns or malware distribution. [..] Cybernews researchers immediately disclosed the vulnerability to BMW, and it was promptly fixed.
---------------------------------------------
https://securityaffairs.com/156843/reports/bmw-affected-by-redirect-vulnera…
∗∗∗ How to Stop a DDoS Attack in 5 Steps ∗∗∗
---------------------------------------------
In this post, we’ll cover some essential fundamentals on how to stop a DDoS attack and prevent them from happening in the future.
---------------------------------------------
https://blog.sucuri.net/2024/01/how-to-stop-a-ddos-attack.html
∗∗∗ Nehmen Sie keine unerwarteten Nachnahme-Sendungen an! ∗∗∗
---------------------------------------------
Aktuell erreichen uns gehäuft Meldungen zu unerwarteten Paketzustellungen, welche bei der Annahme per Nachnahme zu bezahlen sind. Nach einer Übernahme stellt sich häufig heraus, dass der Inhalt wertlos ist, beziehungsweise die Ware nie bestellt wurde. Achtung: Nehmen Sie Nachnahmesendungen nur an, wenn Sie ein entsprechendes Paket erwarten und den Absender kennen. Eine Rückerstattung über die Post ist im Problemfall nämlich nicht mehr möglich!
---------------------------------------------
https://www.watchlist-internet.at/news/nehmen-sie-keine-unerwarteten-nachna…
∗∗∗ Decoding ethical hacking: A comprehensive exploration of white hat practices ∗∗∗
---------------------------------------------
In summation, ethical hacking emerges as a linchpin in fortifying cybersecurity defenses. Adopting a proactive approach, ethical hackers play a pivotal role in identifying vulnerabilities, assessing risks, and ensuring that organizations exhibit resilience in the face of evolving cyber threats.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/decoding-ethical-ha…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel), Fedora (slurm), Oracle (kernel and postgresql:15), Red Hat (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), SUSE (polkit, postfix, putty, w3m, and webkit2gtk3), and Ubuntu (nodejs).
---------------------------------------------
https://lwn.net/Articles/956694/
∗∗∗ WordPress MyCalendar Plugin — Unauthenticated SQL Injection(CVE-2023–6360) ∗∗∗
---------------------------------------------
WordPress Core is the most popular web Content Management System (CMS). This free and open-source CMS written in PHP allows developers to develop web applications quickly by allowing customization through plugins and themes. In this article, we will analyze an unauthenticated sql injection vulnerability found in the MyCalendar plugin.
---------------------------------------------
https://medium.com/tenable-techblog/wordpress-mycalendar-plugin-unauthentic…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 29-12-2023 18:00 − Dienstag 02-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK ∗∗∗
---------------------------------------------
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information.
---------------------------------------------
https://thehackernews.com/2023/12/cert-ua-uncovers-new-malware-wave.html
∗∗∗ Neue Lücke in altem E-Mail-Protokoll: SMTP smuggling ∗∗∗
---------------------------------------------
Sicherheitsforscher haben eine Schwäche im Simple Mail Transfer Protocol (SMTP) entdeckt. Sie hebt das Fälschen des Absenders auf ein neues Niveau.
---------------------------------------------
https://www.heise.de/-9584467
∗∗∗ Ransomware: Fehler in Black-Basta-Programmierung ermöglicht Entschlüsselungstool ∗∗∗
---------------------------------------------
Unter bestimmten Bedingungen kann das kostenlose Entschlüsselungstool Black Basta Buster Opfern des Erpressungstrojaners Black Basta helfen.
---------------------------------------------
https://www.heise.de/-9584846
∗∗∗ New DLL Search Order Hijacking Technique Targets WinSxS Folder ∗∗∗
---------------------------------------------
Attackers can abuse a new DLL search order hijacking technique to execute code in applications within the WinSxS folder.
---------------------------------------------
https://www.securityweek.com/new-dll-search-order-hijacking-technique-targe…
∗∗∗ Domain (in)security: the state of DMARC ∗∗∗
---------------------------------------------
This blog discusses the state of DMARC, the role that DMARC plays in email authentication, and why it should be a key component of your email security solution.
---------------------------------------------
https://www.bitsight.com/blog/domain-insecurity-state-dmarc
=====================
= Vulnerabilities =
=====================
∗∗∗ Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise ∗∗∗
---------------------------------------------
In this post I describe the 18 vulnerabilities that I discovered in PandoraFMS Enterprise v7.0NG.767 available at https://pandorafms.com. PandoraFMS is an enterprise scale network monitoring and management application which provides systems administrators with a central ‘hub’ to monitor and manipulate the state of computers (agents) deployed across the network.
---------------------------------------------
https://research.nccgroup.com/2024/01/02/technical-advisory-multiple-vulner…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ansible, asterisk, cjson, firefox-esr, kernel, libde265, libreoffice, libspreadsheet-parseexcel-perl, php-guzzlehttp-psr7, thunderbird, tinyxml, and xerces-c), Fedora (podman-tui, proftpd, python-asyncssh, squid, and xerces-c), Mageia (libssh and proftpd), and SUSE (deepin-compressor, gnutls, gstreamer, libreoffice, opera, proftpd, and python-pip).
---------------------------------------------
https://lwn.net/Articles/956521/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Gentoo (Joblib), Red Hat (firefox and thunderbird), SUSE (gstreamer-plugins-bad, libssh2_org, and webkit2gtk3), and Ubuntu (firefox and thunderbird).
---------------------------------------------
https://lwn.net/Articles/956568/
∗∗∗ Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7103673
∗∗∗ Multiple vulnerabilities affect IBM Storage Scale Hadoop Connector ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7104389
∗∗∗ IBM Maximo Application Suite uses axios-0.25.0.tgz which is vulnerable to CVE-2023-45857 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7104391
∗∗∗ IBM Maximo Application Suite uses WebSphere Liberty which is vulnerable to CVE-2023-46158, CVE-2023-44483 and CVE-2023-44487 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7104390
∗∗∗ Vulnerabilities in Apache Ant affect IBM Operations Analytics - Log Analysis (CVE-2020-11023, CVE-2020-23064, CVE-2020-11022) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7104401
∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7037900
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 28-12-2023 18:00 − Freitag 29-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts ∗∗∗
---------------------------------------------
Multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named "MultiLogin" to restore expired authentication cookies and log into users accounts, even if an accounts password was reset.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malware-abuses-google-oauth-…
∗∗∗ Steam game mod breached to push password-stealing malware ∗∗∗
---------------------------------------------
Downfall, a fan expansion for the popular Slay the Spire indie strategy game, was breached on Christmas Day to push Epsilon information stealer malware using the Steam update system.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/steam-game-mod-breached-to-p…
∗∗∗ Security: Wie man mit Ransomware-Hackern verhandelt ∗∗∗
---------------------------------------------
Wer Opfer einer Ransomware-Attacke wird, kommt an Verhandlungen mit den Kriminellen manchmal nicht vorbei. Dabei gibt es einige Regeln zu beachten. Ein Bericht von Friedhelm Greis
---------------------------------------------
https://www.golem.de/news/security-wie-man-mit-ransomware-hackern-verhandel…
∗∗∗ New Version of Meduza Stealer Released in Dark Web ∗∗∗
---------------------------------------------
On Christmas Eve, Resecurity’s HUNTER unit spotted the author of perspective password stealer Meduza has released a new version (2.2). One of the key significant improvements are support of more software clients [...]
---------------------------------------------
https://securityaffairs.com/156598/malware/meduza-stealer-released-dark-web…
∗∗∗ Clash of Clans gamers at risk while using third-party app ∗∗∗
---------------------------------------------
An exposed database and secrets on a third-party app puts Clash of Clans players at risk of attacks from threat actors. The Cybernews research team has discovered that the Clash Base Designer Easy Copy app exposed its Firebase database and user-sensitive information. With 100,000 downloads on the Google Play store, [...]
---------------------------------------------
https://securityaffairs.com/156617/security/clash-of-clans-gamers-at-risk.h…
∗∗∗ The Worst Hacks of 2023 ∗∗∗
---------------------------------------------
It was a year of devastating cyberattacks around the globe, from ransomware attacks on casinos to state-sponsored breaches of critical infrastructure.
---------------------------------------------
https://www.wired.com/story/worst-hacks-2023/
∗∗∗ From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence ∗∗∗
---------------------------------------------
>From October-December, the activities of DarkGate, Pikabot, IcedID and more were seen and shared with the broader community via social media [...]
---------------------------------------------
https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/
∗∗∗ Windows: CVE-2021-43890 ausnutzbar: App-Installer-Protokoll deaktiviert; Storm-1152 ausgeschaltet ∗∗∗
---------------------------------------------
Ich packe zum Jahresende noch einige "Gruselgeschichten" rund um das Thema "Sicherheit in Microsoft-Produkten" zusammen. So hat Microsoft den MSXI-App-Installer-Protokoll deaktiviert, weil dieses von Malware-Gruppen missbraucht wurde. Dann gab es die Schwachstelle CVE-2021-43890, die längst gefixt zu sein schien, jetzt [...]
---------------------------------------------
https://www.borncity.com/blog/2023/12/29/microsoft-sicherheitssplitter-cve-…
∗∗∗ Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023 ∗∗∗
---------------------------------------------
Rapid7 is excited to announce that version 0.7.1 of Velociraptor is live and available for download. There are several new features and capabilities that add to the power and efficiency of this open-source digital forensic and incident response (DFIR) platform.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/12/29/velociraptor-0-7-1-release-sigm…
=====================
= Vulnerabilities =
=====================
∗∗∗ Apache OpenOffice 4.1.15 Release Notes ∗∗∗
---------------------------------------------
CVE-2012-5639: Loading internal / external resources without warning, CVE-2022-43680: "Use after free" fixed in libexpat, CVE-2023-1183: Arbitrary file write in Apache OpenOffice Base, CVE-2023-47804: Macro URL arbitrary script execution
---------------------------------------------
https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.15+Release+Not…
∗∗∗ CVE-2019-3773 Spring Web Services Vulnerability in NetApp Products ∗∗∗
---------------------------------------------
Multiple NetApp products incorporate Spring Web Services. Spring Web Services 2.4.3, 3.0.4, and older unsupported versions are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). [...] CVE-2019-3773 9.8 (CRITICAL)
---------------------------------------------
https://security.netapp.com/advisory/ntap-20231227-0011/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 27-12-2023 18:00 − Donnerstag 28-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Lockbit ransomware disrupts emergency care at German hospitals ∗∗∗
---------------------------------------------
German hospital network Katholische Hospitalvereinigung Ostwestfalen (KHO) has confirmed that recent service disruptions were caused by a Lockbit ransomware attack where the threat actors gained access to IT systems and encrypted devices on the network.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-disrupts-…
∗∗∗ Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary], (Wed, Dec 27th) ∗∗∗
---------------------------------------------
In this post, I dig into my instance of the DShield honeypot to see what attack vectors malicious actors are trying to exploit. What I found were several attempts to upload the Mirai family of malware.
---------------------------------------------
https://isc.sans.edu/diary/rss/30514
∗∗∗ Operation Triangulation: "Raffiniertester Exploit aller Zeiten" auf iPhones ∗∗∗
---------------------------------------------
Im Sommer wurde bekannt, dass iPhones der russischen Sicherheitsfirma Kaspersky per hoch entwickeltem Exploit übernommen wurden. Auf dem 37C3 gab es Details.
---------------------------------------------
https://www.heise.de/-9583427
∗∗∗ Neuer iPhone-Diebstahlschutz: "Wichtige Orte" als Sicherheitsloch ∗∗∗
---------------------------------------------
Apple will bald die Account-Ausplünderung nach iPhone-Diebstählen erschweren. Ein Sicherheitsfeature bietet allerdings eine Umgehungsmöglichkeit.
---------------------------------------------
https://www.heise.de/-9582753
∗∗∗ Jahresrückblick: Diese Themen beschäftigten uns 2023! ∗∗∗
---------------------------------------------
2023 geht für die Watchlist Internet erfolgreich zu Ende: Mit rund 3,2 Millionen Besucher:innen konnten wir auch heuer wieder zahlreiche Menschen vor Internetbetrug warnen. Monatlich erreichten uns dabei rund 1.000 Meldungen, die wir 2023 in rund 200 Warnartikel und durch die Veröffentlichung von über 12.000 Domains auf unseren Warnlisten verarbeitet haben. Danke an unsere Leser:innen, die diesen Erfolg ermöglichen.
---------------------------------------------
https://www.watchlist-internet.at/news/jahresrueckblick-diese-themen-bescha…
∗∗∗ How to report Gmail messages as spam to improve your life and make you a hero ∗∗∗
---------------------------------------------
The act of marking and reporting an email as spam in Gmail has an important side effect that makes it totally worth a few seconds of your day.
---------------------------------------------
https://www.zdnet.com/article/how-to-report-gmail-messages-as-spam-to-impro…
∗∗∗ Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed ∗∗∗
---------------------------------------------
While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected.
---------------------------------------------
https://asec.ahnlab.com/en/60054/
∗∗∗ Cyber Toufan goes Oprah mode, with free Linux system wipes of over 100 organisations ∗∗∗
---------------------------------------------
For the past 6 or so weeks, I’ve been tracking Cyber Toufan on Telegram. They appeared in November, and they’ve been very busy and very naughty boys. They actually set up their infrastructure around October, and started owning things apparently undetected. They’re not a lame DDoS pretend hacktivist group like NoName016 — instead, they claim to be Palestinian state cyber warriors.
---------------------------------------------
https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-syste…
=====================
= Vulnerabilities =
=====================
∗∗∗ Juniper: 2023-12 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗
---------------------------------------------
Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF03. Severity Assessment (CVSS) Score 9.8
---------------------------------------------
https://supportportal.juniper.net/s/article/2023-12-Security-Bulletin-JSA-S…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (haproxy, libssh, and nodejs), Fedora (filezilla and minizip-ng), Gentoo (Git, libssh, and OpenSSH), and SUSE (gstreamer, postfix, webkit2gtk3, and zabbix).
---------------------------------------------
https://lwn.net/Articles/956257/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 22-12-2023 18:00 − Mittwoch 27-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Operation Triangulation: The last (hardware) mystery ∗∗∗
---------------------------------------------
Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs.
---------------------------------------------
https://securelist.com/operation-triangulation-the-last-hardware-mystery/11…
∗∗∗ Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices ∗∗∗
---------------------------------------------
McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-andro…
∗∗∗ Gefährliche VPN-Extension für Chrome ist millionenfach installiert ∗∗∗
---------------------------------------------
Rund 1,5 Millionen Rechner sind mit Malware infiziert, die sich in den Browsern als VPN-Erweiterung einnistet. [..] Auf den Computern landet die Software über unrechtmäßig kopierte Spiele wie Grand Theft Auto, Assassins Creed und The Sims 4, die von Torrent-Seiten heruntergeladen wurden.
---------------------------------------------
https://futurezone.at/digital-life/vpn-extension-chrome-gefaehrlich-million…
∗∗∗ Python Keylogger Using Mailtrap.io, (Sat, Dec 23rd) ∗∗∗
---------------------------------------------
I found another Python keylogger... This is pretty common because Python has plenty of modules to implement this technique in a few lines of code [..} But, in this case, the attacker used another popular online service: mailtrap.io.
---------------------------------------------
https://isc.sans.edu/diary/rss/30512
∗∗∗ New Guide: Broken Access Control ∗∗∗
---------------------------------------------
We are excited to announce the release of our new guide What is Broken Access Control. This handy resource helps you grasp the ins-and-outs of BACs, their potential risks and operation, enabling you to effectively secure your website against unauthorized access and breaches.
---------------------------------------------
https://blog.sucuri.net/2023/12/new-guide-broken-access-control.html
∗∗∗ Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft ∗∗∗
---------------------------------------------
Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information. The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.
---------------------------------------------
https://thehackernews.com/2023/12/rogue-wordpress-plugin-exposes-e.html
∗∗∗ Tesla: Forscher der TU Berlin verschaffen sich Zugriff auf Autopilot-Hardware ∗∗∗
---------------------------------------------
Mit Hilfe eines kurzen Spannungsabfalls konnten sich drei Doktoranden der TU Berlin Zugriff auf die Platine verschaffen, auf der Teslas Autopilot arbeitet.
---------------------------------------------
https://www.heise.de/-9583095
∗∗∗ Dual Privilege Escalation Chain: Exploiting Monitoring and Service Mesh Configurations and Privileges in GKE to Gain Unauthorized Access in Kubernetes ∗∗∗
---------------------------------------------
This article examines two specific issues in Google Kubernetes Engine (GKE). While each issue might not result in significant damage on its own, when combined they create an opportunity for an attacker who already has access to a Kubernetes cluster to escalate their privileges. This article serves as a crucial resource for Kubernetes users and administrators, offering insights on safeguarding their clusters from potential attacks.
---------------------------------------------
https://unit42.paloaltonetworks.com/google-kubernetes-engine-privilege-esca…
∗∗∗ Analysis of Attacks That Install Scanners on Linux SSH Servers ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) analyzes attack campaigns against poorly managed Linux SSH servers and shares the results on the ASEC Blog.
---------------------------------------------
https://asec.ahnlab.com/en/59972/
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack ∗∗∗
---------------------------------------------
A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month.
---------------------------------------------
https://thehackernews.com/2023/12/critical-zero-day-in-apache-ofbiz-erp.html
∗∗∗ Kritische Sicherheitslücke in Perl-Bibliothek: Schwachstelle bereits ausgenutzt ∗∗∗
---------------------------------------------
In einer Perl-Bibliothek zum Parsen von Excel-Dateien haben Sicherheitsforscher eine kritische Schwachstelle entdeckt, die Angreifer bereits ausgenutzt haben. [..] Die MITRE hat der Schwachstelle den Eintrag CVE-2023-7101 vergeben. Der Proof of Concept ist von März 2023. Ein Sicherheitspatch ist derzeit noch nicht verfügbar.
---------------------------------------------
https://www.heise.de/-9583179
∗∗∗ Barracuda ESG-Schwachstelle CVE-2023-7102 (Dez. 2023) ∗∗∗
---------------------------------------------
Barracuda hat bei einer laufenden Untersuchung festgestellt, dass ein Bedrohungsakteur die Schwachstelle Schwachstelle CVE-2023-7102 in der Barracuda Email Security Gateway Appliance (ESG) ausnutzt. Die Verwendung einer Bibliothek eines Drittanbieters führte zu dieser Schwachstelle, die die Barracuda ESG Appliance von 5.1.3.001 bis 9.2.1.001 betraf. Barracuda hat zum 21. Dezember 2023 ein Sicherheitsupdate für alle aktiven ESGs bereitgestellt, um die ACE-Schwachstelle zu beheben.
---------------------------------------------
https://www.borncity.com/blog/2023/12/27/barracuda-esg-schwachstelle-cve-20…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (curl, openssh, osslsigncode, and putty), Fedora (chromium, filezilla, libfilezilla, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, opensc, thunderbird, unrealircd, and xorg-x11-server-Xwayland), Gentoo (Ceph, FFmpeg, Flatpak, Gitea, and SABnzbd), Mageia (chromium-browser-stable), Slackware (kernel and postfix), and SUSE (cppcheck, distribution, gstreamer-plugins-bad, jbigkit, and ppp).
---------------------------------------------
https://lwn.net/Articles/956156/
∗∗∗ Autodesk: Multiple Vulnerabilities in Autodesk InfoWorks software ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0024
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 21-12-2023 18:00 − Freitag 22-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Microsoft: Hackers target defense firms with new FalseFont malware ∗∗∗
---------------------------------------------
Microsoft says the APT33 Iranian cyber-espionage group is using recently discovered FalseFont backdoor malware to attack defense contractors worldwide.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-hackers-target-def…
∗∗∗ Europol warns 443 online shops infected with credit card stealers ∗∗∗
---------------------------------------------
Europol has notified over 400 websites that their online shops have been hacked with malicious scripts that steal debit and credit cards from customers making purchases.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/europol-warns-443-online-sho…
∗∗∗ Have your data and hide it too: An introduction to differential privacy ∗∗∗
---------------------------------------------
Providing software and web services that deliver value for users often requires measuring user behavior. In this blog we discuss emerging cryptographic and statistical techniques that enable collecting such measurements without violating user privacy
---------------------------------------------
https://blog.cloudflare.com/have-your-data-and-hide-it-too-an-introduction-…
∗∗∗ Experts Detail Multi-Million Dollar Licensing Model of Predator Spyware ∗∗∗
---------------------------------------------
A new analysis of the sophisticated commercial spyware called Predator has revealed that its ability to persist between reboots is offered as an "add-on feature" and that it depends on the licensing options opted by a customer.
---------------------------------------------
https://thehackernews.com/2023/12/multi-million-dollar-predator-spyware.html
∗∗∗ Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware ∗∗∗
---------------------------------------------
A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language. "Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers unfamiliarity can hamper their investigation," [...]
---------------------------------------------
https://thehackernews.com/2023/12/decoy-microsoft-word-documents-used-to.ht…
∗∗∗ Cyber sleuths reveal how they infiltrate the biggest ransomware gangs ∗∗∗
---------------------------------------------
How do you break into the bad guys ranks? Master the lingo and research, research, research
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/12/22/how_to_infil…
∗∗∗ Malicious GPT Can Phish Credentials, Exfiltrate Them to External Server: Researcher ∗∗∗
---------------------------------------------
A researcher has shown how malicious actors can create custom GPTs that can phish for credentials and exfiltrate them to external servers.
---------------------------------------------
https://www.securityweek.com/malicious-gpt-can-phish-credentials-exfiltrate…
∗∗∗ CISA Releases Microsoft 365 Secure Configuration Baselines and SCuBAGear Tool ∗∗∗
---------------------------------------------
CISA has published the finalized Microsoft 365 Secure Configuration Baselines, designed to bolster the security and resilience of organizations’ Microsoft 365 (M365) cloud services. This guidance release is accompanied by the updated SCuBAGear tool that assesses organizations’ M365 cloud services per CISA’s recommended baselines.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/12/21/cisa-releases-microsoft-…
∗∗∗ Python Packages Leverage GitHub to Deploy Fileless Malware ∗∗∗
---------------------------------------------
In early December, a number of malicious Python packages captured our attention, not just because of their malicious nature, but for the cleverness of their deployment strategy.
---------------------------------------------
https://checkmarx.com/blog/python-packages-leverage-github-to-deploy-filele…
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI Security Advisories ∗∗∗
---------------------------------------------
BlueZ, Kofax Power PDF
---------------------------------------------
https://www.zerodayinitiative.com/advisories/published/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bluez, chromium, gst-plugins-bad1.0, openssh, and thunderbird), Fedora (chromium, firefox, kernel, libssh, nss, opensc, and thunderbird), Gentoo (Arduino, Exiv2, LibRaw, libssh, NASM, and QtWebEngine), Mageia (gstreamer), and SUSE (gnutls, gstreamer-plugins-bad, libcryptopp, libqt5-qtbase, ppp, tinyxml, xorg-x11-server, and zbar).
---------------------------------------------
https://lwn.net/Articles/956012/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 20-12-2023 18:00 − Donnerstag 21-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New phishing attack steals your Instagram backup codes to bypass 2FA ∗∗∗
---------------------------------------------
A new phishing campaign pretending to be a copyright infringement email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-phishing-attack-steals-y…
∗∗∗ Fake F5 BIG-IP zero-day warning emails push data wipers ∗∗∗
---------------------------------------------
The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-f5-big-ip-zero-day-warn…
∗∗∗ Android malware Chameleon disables Fingerprint Unlock to steal PINs ∗∗∗
---------------------------------------------
The Chameleon Android banking trojan has re-emerged with a new version that uses a tricky technique to take over devices — disable fingerprint and face unlock to steal device PINs.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-malware-chameleon-di…
∗∗∗ Windows CLFS and five exploits used by ransomware operators ∗∗∗
---------------------------------------------
We had never seen so many CLFS driver exploits being used in active attacks before, and then suddenly there are so many of them captured in just one year. Is there something wrong with the CLFS driver? Are all these vulnerabilities similar? These questions encouraged me to take a closer look at the CLFS driver and its vulnerabilities.
---------------------------------------------
https://securelist.com/windows-clfs-exploits-ransomware/111560/
∗∗∗ Increase in Exploit Attempts for Atlassian Confluence Server (CVE-2023-22518), (Wed, Dec 20th) ∗∗∗
---------------------------------------------
Attacks for the vulnerability started early in November, shortly after the vulnerability was announced. At the time, the attacks were more targeted to specific hosts. Now we are seeing more widespread scans typical for attackers trying to "clean up" instances earlier attacks may have missed.
---------------------------------------------
https://isc.sans.edu/diary/rss/30502
∗∗∗ Weaponizing DHCP DNS Spoofing — A Hands-On Guide ∗∗∗
---------------------------------------------
In this second blog post, we aim to elaborate on some of the technical details that are required to exploit this attack surface. We will detail the methods used to collect all the necessary information to conduct the attacks, describe some attack limitations, and explore how we can spoof multiple DNS records by abusing an interesting DHCP server behavior.
---------------------------------------------
https://www.akamai.com/blog/security-research/weaponizing-dhcp-dns-spoofing…
∗∗∗ Kritische Lücken in Mobile-Device-Management-Lösung Ivanti Avalanche geschlossen ∗∗∗
---------------------------------------------
Angreifer können Ivanti Avalanche mit Schadcode attackieren. Eine reparierte Version steht zum Download bereit.
---------------------------------------------
https://www.heise.de/-9580221
∗∗∗ BSI veröffentlicht Studie zu Implementierungsangriffen auf QKD-Systeme ∗∗∗
---------------------------------------------
Das BSI hat eine wissenschaftliche Studie über Implementierungsangriffe auf Quantum Key Distribution (QKD)-Systeme veröffentlicht.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge…
∗∗∗ Spoofing: Spätestens im Herbst 2024 soll mit dem Betrug Schluss sein ∗∗∗
---------------------------------------------
Alle österreichischen Telefonnummern erhalten ein "Mascherl", das sie als echt ausweist. Provider haben bis 1. September Zeit, die neue Verordnung umzusetzen.
---------------------------------------------
https://www.derstandard.at/story/3000000200615/spoofing-spaetestens-im-herb…
∗∗∗ security.txt: A Simple File with Big Value ∗∗∗
---------------------------------------------
Our team at CISA often receives questions about why creation of a “security.txt” file was included as one of the priority Cybersecurity Performance Goals (CPGs). Why is it so important? Well, it’s such a simple concept, but it provides great value to all of those involved in vulnerability management and disclosure.
---------------------------------------------
https://www.cisa.gov/news-events/news/securitytxt-simple-file-big-value
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI Security Advisories ∗∗∗
---------------------------------------------
Voltronic Power ViewPower, Hancom Office, Honeywell Saia PG5 Controls Suite
---------------------------------------------
https://www.zerodayinitiative.com/advisories/published/
∗∗∗ Google Chrome: Update schließt bereits angegriffene Zero-Day-Lücke ∗∗∗
---------------------------------------------
Googles Entwickler haben ein Update für Chrome veröffentlicht, das eine bereits angegriffene Sicherheitslücke abdichtet.
---------------------------------------------
https://www.heise.de/-9580061
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (December 11, 2023 to December 17, 2023) ∗∗∗
---------------------------------------------
Last week, there were 16 vulnerabilities disclosed in 16 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 7 Vulnerability Researchers that contributed to WordPress Security last week.
---------------------------------------------
https://www.wordfence.com/blog/2023/12/wordfence-intelligence-weekly-wordpr…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr), Fedora (kernel), Mageia (bluez), Oracle (fence-agents, gstreamer1-plugins-bad-free, opensc, openssl, postgresql:10, and postgresql:12), Red Hat (postgresql:15 and tigervnc), Slackware (proftpd), and SUSE (docker, rootlesskit, firefox, go1.20-openssl, go1.21-openssl, gstreamer-plugins-bad, libreoffice, libssh2_org, poppler, putty, rabbitmq-server, wireshark, xen, xorg-x11-server, and xwayland).
---------------------------------------------
https://lwn.net/Articles/955914/
∗∗∗ ESET Patches High-Severity Vulnerability in Secure Traffic Scanning Feature ∗∗∗
---------------------------------------------
ESET has patched CVE-2023-5594, a high-severity vulnerability that can cause a browser to trust websites that should not be trusted.
---------------------------------------------
https://www.securityweek.com/eset-patches-high-severity-vulnerability-in-se…
∗∗∗ Drupal: Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-055
∗∗∗ Foxit: Security Advisories for Foxit PDF Reader ∗∗∗
---------------------------------------------
https://www.foxit.com/support/security-bulletins.html
∗∗∗ NETGEAR: Security Advisory for Stored Cross Site Scripting on the NMS300, PSV-2023-0106 ∗∗∗
---------------------------------------------
https://kb.netgear.com/000065901/Security-Advisory-for-Stored-Cross-Site-Sc…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/12/21/cisa-adds-two-known-expl…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 19-12-2023 18:00 − Mittwoch 20-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Datenleckseite beschlagnahmt: Das FBI und die ALPHV-Hacker spielen Katz und Maus ∗∗∗
---------------------------------------------
Das FBI hat die Datenleckseite der Ransomwaregruppe ALPHV beschlagnahmt. Die Hacker haben jedoch auch noch Zugriff darauf. Sie drohen nun mit neuen Regeln.
---------------------------------------------
https://www.golem.de/news/datenleckseite-beschlagnahmt-das-fbi-und-die-alph…
∗∗∗ Remote Encryption Attacks Surge: How One Vulnerable Device Can Spell Disaster ∗∗∗
---------------------------------------------
Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns."Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," [...]
---------------------------------------------
https://thehackernews.com/2023/12/remote-encryption-attacks-surge-how-one.h…
∗∗∗ Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla ∗∗∗
---------------------------------------------
First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2…
∗∗∗ New MetaStealer malvertising campaigns ∗∗∗
---------------------------------------------
In recent malvertising campaigns, threat actors dropped the MetaStealer information stealer, more or less coinciding with a new version release.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metasteal…
∗∗∗ BSI und ANSSI veröffentlichen Publikation zu Remote Identity Proofing ∗∗∗
---------------------------------------------
Das BSI hat zusammen mit der französischen Behörde für IT-Sicherheit, ANSSI, eine gemeinsame Publikation veröffentlicht. Die diesjährige Veröffentlichung beschäftigt sich mit den Gefahren und möglichen Angriffsvektoren, die in den verschiedenen Phasen der videobasierten Identifikation entstehen.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge…
∗∗∗ Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript Can Steal Your Secrets ∗∗∗
---------------------------------------------
Malicious JavaScript is used to steal PPI via survey sites, web chat APIs and more. We detail how JavaScript malware is implemented and evades detection.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-d…
∗∗∗ Behind the scenes: JaskaGO’s coordinated strike on macOS and Windows ∗∗∗
---------------------------------------------
In recent developments, a sophisticated malware stealer strain crafted in the Go programming language has been discovered by AT&T Alien Labs, posing a severe threat to both Windows and macOS operating systems. As of the time of publishing of this article, traditional antivirus solutions have low or even non-existent detection rates, making it a stealthy and formidable adversary.
---------------------------------------------
https://cybersecurity.att.com/blogs/labs-research/behind-the-scenes-jaskago…
∗∗∗ Spike in Atlassian Exploitation Attempts: Patching is Crucial ∗∗∗
---------------------------------------------
In the blog we discuss the importance of securing your Atlassian products, provide valuable insights on various IP activities, and offer friendly advice on proactive measures to protect your organization.
---------------------------------------------
https://www.greynoise.io/blog/spike-in-atlassian-exploitation-attempts-patc…
∗∗∗ Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors ∗∗∗
---------------------------------------------
Earlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign presented to users in sponsored search engine results and social media posts, consistent with activity reported in From DarkGate to DanaBot. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and leveraged malicious advertisements to affect multiple organizations, which resulted in the delivery of the DANABOT and DARKGATE backdoors.
---------------------------------------------
https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-b…
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-23-1810: QEMU NVMe Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to disclose sensitive information on affected installations of QEMU. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.0.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-1810/
∗∗∗ ZDI-23-1813: Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-1813/
∗∗∗ Sitefinity Security Advisory for Addressing Security Vulnerability CVE-2023-6784, December 2023 ∗∗∗
---------------------------------------------
The Progress Sitefinity team recently discovered a MEDIUM CVSS vulnerability in the Sitefinity application available under # CVE-2023-6784. A fix has been developed and tested – and is now available for download. Below you can find information about the discoveries and version-specific product updates for supported versions.
---------------------------------------------
https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-A…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (ansible and ansible-core), Gentoo (Minecraft Server and thunderbird), Mageia (fusiondirectory), Red Hat (gstreamer1-plugins-bad-free, opensc, and openssl), Slackware (libssh and mozilla), SUSE (avahi, firefox, ghostscript, gstreamer-plugins-bad, mariadb, openssh, openssl-1_1-livepatches, python-aiohttp, python-cryptography, xorg-x11-server, and xwayland), and Ubuntu (libssh and openssh).
---------------------------------------------
https://lwn.net/Articles/955786/
∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Apple has released security updates to address vulnerabilities in Safari, iOS, iPadOS, and macOS Sonoma. A cyber threat actor could exploit one of these vulnerabilities to obtain sensitive information. CISA encourages users and administrators to review Apple security releases and apply necessary updates.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/12/20/apple-releases-security-…
∗∗∗ New Ivanti Avalanche Vulnerabilities ∗∗∗
---------------------------------------------
As part of our ongoing strengthening of the security of our products we have discovered twenty new vulnerabilities in the Ivanti Avalanche on-premise product. We are reporting these vulnerabilities as the CVE numbers listed below. These vulnerabilities impact all supported versions of the products – Avalanche versions 6.3.1 and above. Older versions/releases are also at risk. This release corrects multiple memory corruption vulnerabilities, covered in these security advisories: [...]
---------------------------------------------
https://www.ivanti.com/blog/new-ivanti-avalanche-vulnerabilities
∗∗∗ Multiple vulnerabilites in D-Link G416 routers ∗∗∗
---------------------------------------------
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name…
∗∗∗ K000137965 : Apache Tomcat vulnerability CVE-2023-45648 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000137965
∗∗∗ K000137966 : Apache Tomcat vulnerability CVE-2023-42794 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000137966
∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities. [CVE-2022-42889, CVE-2023-35001, CVE-2023-32233] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7095693
∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7087688
∗∗∗ IBM Maximo Application Suite - IoT Component uses Pygments-2.14.0-py3-none-any.whl which is vulnerable to CVE-2022-40896 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7099774
∗∗∗ IBM Maximo Application Suite uses urllib3-1.26.16-py2.py3-none-any.whl which is vulnerable to CVE-2023-43804 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7099772
∗∗∗ IBM Sterling B2B Integrator EBICs client affected by multiple issues due to Jettison ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7099862
∗∗∗ IBM Security Guardium is affected by a guava-18.0.jar vulnerability (CVE-2023-2976) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7099896
∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7100525
∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-39975, CVE-2023-34042) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7100884
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 18-12-2023 18:00 − Dienstag 19-12-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Akute Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich ∗∗∗
---------------------------------------------
Seit Kurzem sehen sich österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur vermehrt mit DDoS Angriffen konfrontiert. Die genauen Hintergründe der Attacken sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse empfehlen wir Unternehmen und Organisationen, die eigenen Prozesse und technischen Maßnahmen nochmals auf ihre Wirksamkeit zu überprüfen, um im Fall eines Angriffes bestmöglich gewappnet zu sein. Dies gilt insbesondere, da eine Intensivierung der Angriffe nicht ausgeschlossen werden kann.
---------------------------------------------
https://cert.at/de/aktuelles/2023/12/akute-welle-an-ddos-angriffen-auf-staa…
∗∗∗ Neue Angriffstechnik: Terrapin schwächt verschlüsselte SSH-Verbindungen ∗∗∗
---------------------------------------------
Ein Angriff kann wohl zur Verwendung weniger sicherer Authentifizierungsalgorithmen führen. Betroffen sind viele gängige SSH-Implementierungen.
---------------------------------------------
https://www.golem.de/news/neue-angriffstechnik-terrapin-schwaecht-verschlue…
∗∗∗ FBI disrupts Blackcat ransomware operation, creates decryption tool ∗∗∗
---------------------------------------------
The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operations servers to monitor their activities and obtain decryption keys.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-disrupts-blackcat-ransom…
∗∗∗ 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware ∗∗∗
---------------------------------------------
The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers.
---------------------------------------------
https://thehackernews.com/2023/12/8220-gang-exploiting-oracle-weblogic.html
∗∗∗ Hackers Abusing GitHub to Evade Detection and Control Compromised Hosts ∗∗∗
---------------------------------------------
Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages.
---------------------------------------------
https://thehackernews.com/2023/12/hackers-abusing-github-to-evade.html
∗∗∗ Mute the Sound: Chaining Vulnerabilities to Achieve RCE on Outlook: Pt 1 ∗∗∗
---------------------------------------------
In this post, we have detailed the research process that led to the discovery of the two bypasses, including their root-cause analysis. As we’ve shown, Windows path parsing code is complex and often can lead to vulnerabilities. [..] Windows machines with the October 2023 software update installed are protected from these vulnerabilities. Additionally, Outlook clients that use Exchange servers patched with March 2023 software update are protected against the abused feature.
---------------------------------------------
https://www.akamai.com/blog/security-research/2023/dec/chaining-vulnerabili…
∗∗∗ Botnet: Qakbot wieder aktiv mit neuer Phishing-Kampagne ∗∗∗
---------------------------------------------
Im August haben internationale Strafverfolger das Quakbot-Botnetz außer Gefecht gesetzt. Jetzt hat Microsoft eine neue Phishing-Kampagne entdeckt.
---------------------------------------------
https://www.heise.de/-9577963
∗∗∗ Retro Gaming Vulnerability Research: Warcraft 2 ∗∗∗
---------------------------------------------
This blog post is part one in a short series on learning some basic game hacking techniques. [..] I leave it as an exercise to the reader to extend wc2shell further to add the first checksum byte and attempt to fuzz other traffic.
---------------------------------------------
https://research.nccgroup.com/2023/12/19/retro-gaming-vulnerability-researc…
∗∗∗ Achtung Fake: „Ihr iCloud-Speicher ist voll. Erhalten Sie 50 GB KOSTENLOS !“ ∗∗∗
---------------------------------------------
Ihr iCloud-Speicher ist voll? Sie erhalten aber angeblich 50 GB kostenlos? Vorsicht, bei diesem E-Mail handelt es sich um Phishing. Tippen Sie nicht auf das Feld „Erhalten Sie 50 GB“. Sie würden auf einer gefälschten iCloud-Webseite landen, die Ihre Login-Daten stiehlt.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-fake-ihr-icloud-speicher-ist…
∗∗∗ Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks ∗∗∗
---------------------------------------------
This post will cover the recent additional attacks that installed Ladon, NetCat, AnyDesk, and z0Miner.
---------------------------------------------
https://asec.ahnlab.com/en/59904/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (webkit2gtk), Fedora (rdiff-backup and xorg-x11-server-Xwayland), Mageia (cjose and ghostscript), Oracle (avahi), Red Hat (postgresql:10), and SUSE (avahi, freerdp, libsass, and ncurses).
---------------------------------------------
https://lwn.net/Articles/955678/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ mozilla: Security Vulnerabilities fixed in Firefox 121 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
∗∗∗ mozilla: Security Vulnerabilities fixed in Thunderbird 115.6 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/
∗∗∗ mozilla: Security Vulnerabilities fixed in Firefox ESR 115.6 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
∗∗∗ EFACEC UC 500E ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-03
∗∗∗ Subnet Solutions Inc. PowerSYSTEM Center ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-01
∗∗∗ Open Design Alliance Drawing SDK ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-04
∗∗∗ EFACEC BCU 500 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02
∗∗∗ EuroTel ETL3100 Radio Transmitter ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-05
∗∗∗ F5: K000137926 : Apache Tomcat vulnerability CVE-2023-46589 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000137926
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 15-12-2023 18:00 − Montag 18-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Zwei Monate nach Meldung: SQL-Injection-Schwachstelle in 3CX noch immer ungepatcht ∗∗∗
---------------------------------------------
Statt einen Patch bereitzustellen, fordert 3CX seine Kunden nun dazu auf, aus Sicherheitsgründen ihre SQL-Datenbank-Integrationen zu deaktivieren.
---------------------------------------------
https://www.golem.de/news/zwei-monate-nach-meldung-sql-injection-schwachste…
∗∗∗ SMTP Smuggling - Spoofing E-Mails Worldwide ∗∗∗
---------------------------------------------
Introducing a novel technique for e-mail spoofing
---------------------------------------------
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwi…
∗∗∗ SLP Denial of Service Amplification - Attacks are ongoing and rising ∗∗∗
---------------------------------------------
We build on our previous work and look into how threat actors are abusing SLP to launch reflection/amplification DDoS attacks, their evolution, and what targets are they focused on at the moment.
---------------------------------------------
https://www.bitsight.com/blog/slp-denial-service-amplification-attacks-are-…
∗∗∗ WordPress hosting service Kinsta targeted by Google phishing ads ∗∗∗
---------------------------------------------
WordPress hosting provider Kinsta is warning customers that Google ads have been observed promoting phishing sites to steal hosting credentials.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wordpress-hosting-service-ki…
∗∗∗ Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds ∗∗∗
---------------------------------------------
Microsoft is warning of an uptick in malicious activity from an emerging threat cluster its tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.
---------------------------------------------
https://thehackernews.com/2023/12/microsoft-warns-of-storm-0539-rising.html
∗∗∗ PikaBot distributed via malicious search ads ∗∗∗
---------------------------------------------
PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distr…
∗∗∗ QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry ∗∗∗
---------------------------------------------
A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.
---------------------------------------------
https://thehackernews.com/2023/12/qakbot-malware-resurfaces-with-new.html
∗∗∗ iOS 17.2: Flipper Zero kann keine iPhones mehr crashen ∗∗∗
---------------------------------------------
Apple verhindert mit iOS 17.2 offenbar, dass iPhones mit einem Flipper-Zero-Bluetooth-Exploit ge-DoSt werden können.
---------------------------------------------
https://www.heise.de/-9576526
∗∗∗ Ransomware-Gruppen buhlen zunehmend um Medien-Aufmerksamkeit ∗∗∗
---------------------------------------------
Um sich von der Konkurrenz abzusetzen und die eigenen Leistungen gewürdigt zu wissen, suchen Ransomware-Gruppen zunehmend den direkten Kontakt zu Journalisten.
---------------------------------------------
https://www.heise.de/-9576774
∗∗∗ E-Mail vom Entschädigungsamt ist Fake ∗∗∗
---------------------------------------------
Kriminelle geben sich als „Entschädigungsamt“ aus und behaupten in einem E-Mail, dass Betrugsopfer mit einer Gesamtsumme von 3.500.000 Euro entschädigt werden. Antworten Sie nicht und schicken Sie keinesfalls persönliche Daten und Ausweiskopien. Sie werden erneut betrogen!
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-vom-entschaedigungsamt-ist-fa…
∗∗∗ Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains ∗∗∗
---------------------------------------------
Using machine learning to target stockpiled malicious domains, the results of our detection pipeline tool highlight campaigns from phishing to scams.
---------------------------------------------
https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains/
∗∗∗ An Example of RocketMQ Exploit Scanner, (Sat, Dec 16th) ∗∗∗
---------------------------------------------
A few months ago, RocketMQ, a real-time message queue platform, suffered of a nasty vulnerability referred as cve:2023-33246. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score: 2/60
---------------------------------------------
https://isc.sans.edu/diary/rss/30492
∗∗∗ CISA Urges Manufacturers to Eliminate Default Passwords After Recent ICS Attacks ∗∗∗
---------------------------------------------
CISA is advising device makers to stop relying on customers to change default passwords following attacks targeting water sector ICS.
---------------------------------------------
https://www.securityweek.com/cisa-urges-manufacturers-to-eliminate-default-…
∗∗∗ CISA Releases Key Risk and Vulnerability Findings for Healthcare and Public Health Sector ∗∗∗
---------------------------------------------
Report provides recommended actions and mitigation strategies for HPH sector, critical infrastructure and software manufacturers
---------------------------------------------
https://www.cisa.gov/news-events/news/cisa-releases-key-risk-and-vulnerabil…
∗∗∗ #StopRansomware: Play Ransomware ∗∗∗
---------------------------------------------
These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
=====================
= Vulnerabilities =
=====================
∗∗∗ Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server ∗∗∗
---------------------------------------------
Four new unauthenticated remotely exploitable security vulnerabilities discovered in the popular source code management platform Perforce Helix Core Server have been remediated after being responsibly disclosed by Microsoft. Perforce Server customers are strongly urged to update to version 2023.1/2513900.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/12/15/patching-perforce-…
∗∗∗ ZDI-23-1799: Ivanti Avalanche Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to escalate privileges on affected installations of Ivanti Avalanche. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2023-41726.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-1799/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (freeimage, ghostscript, intel-microcode, spip, and xorg-server), Fedora (chromium, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, PyDrive2, seamonkey, and vim), Gentoo (Leptonica), Mageia (audiofile, gimp, golang, and poppler), Oracle (buildah, containernetworking-plugins, gstreamer1-plugins-bad-free, kernel, kernel-container, libxml2, pixman, podman, postgresql, postgresql:15, runc, skopeo, tracker-miners, and webkit2gtk3), and SUSE (fish).
---------------------------------------------
https://lwn.net/Articles/955566/
∗∗∗ OpenSSH Security December 18, 2023 ∗∗∗
---------------------------------------------
penSSH 9.6 was released on 2023-12-18. It is available from the mirrors listed at https://www.openssh.com/. This release contains a number of security fixes, some small features and bugfixes.
---------------------------------------------
https://www.openssh.com/security.html
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Nextcloud Security Advisories ∗∗∗
---------------------------------------------
https://github.com/nextcloud/security-advisories/security
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 14-12-2023 18:00 − Freitag 15-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Ten new Android banking trojans targeted 985 bank apps in 2023 ∗∗∗
---------------------------------------------
This year has seen the emergence of ten new Android banking malware families, which collectively target 985 bank and fintech/trading apps from financial institutes across 61 countries.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ten-new-android-banking-troj…
∗∗∗ Fake-Werbeanzeige auf Facebook & Instagram: „Verlorenes Gepäck für nur 1,95 €!“ ∗∗∗
---------------------------------------------
Im Namen des „Vienna International Airport“ schalten Kriminelle aktuell betrügerische Anzeigen und behaupten, dass verloren gegangene Koffer für knapp 2 Euro verkauft werden.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-werbeanzeige-auf-facebook-insta…
∗∗∗ OilRig’s persistent attacks using cloud service-powered downloaders ∗∗∗
---------------------------------------------
ESET researchers document a series of new OilRig downloaders, all relying on legitimate cloud service providers for C&C communications.
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-c…
∗∗∗ New Hacker Group GambleForce Hacks Targets with Open Source Tools ∗∗∗
---------------------------------------------
Yet another day, yet another threat actor posing a danger to the cybersecurity of companies globally.
---------------------------------------------
https://www.hackread.com/gambleforce-hacks-targets-open-source-tools/
∗∗∗ Mining The Undiscovered Country With GreyNoise EAP Sensors: F5 BIG-IP Edition ∗∗∗
---------------------------------------------
Discover the fascinating story of a GreyNoise researcher who found that attackers were using his demonstration code for a vulnerability instead of the real exploit. Explore the implications of this situation and learn about the importance of using accurate and up-to-date exploits in the cybersecurity community.
---------------------------------------------
https://www.greynoise.io/blog/mining-the-undiscovered-country-with-greynois…
∗∗∗ Opening a new front against DNS-based threats ∗∗∗
---------------------------------------------
There are multiple ways in which threat actors can leverage DNS to carry out attacks. We will provide a an introduction to DNS threat landscape.The post Opening a new front against DNS-based threats appeared first on Avast Threat Labs.
---------------------------------------------
https://decoded.avast.io/threatintel/opening-a-new-front-against-dns-based-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Ubiquiti: Nutzer konnten auf fremde Sicherheitskameras zugreifen ∗∗∗
---------------------------------------------
Teilweise erhielten Anwender sogar Benachrichtigungen auf ihre Smartphones, in denen Bilder der fremden Kameras enthalten waren.
---------------------------------------------
https://www.golem.de/news/ubiquiti-nutzer-konnten-auf-fremde-sicherheitskam…
∗∗∗ New Security Vulnerabilities Uncovered in pfSense Firewall Software - Patch Now ∗∗∗
---------------------------------------------
Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances.
---------------------------------------------
https://thehackernews.com/2023/12/new-security-vulnerabilities-uncovered.ht…
∗∗∗ Squid-Proxy: Denial of Service durch Endlosschleife ∗∗∗
---------------------------------------------
Schickt ein Angreifer einen präparierten HTTP-Header an den Proxy-Server, kann er ihn durch eine unkontrollierte Rekursion zum Stillstand bringen.
---------------------------------------------
https://www.heise.de/news/Squid-Proxy-Denial-of-Service-durch-Endlosschleif…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bluez and haproxy), Fedora (curl, dotnet6.0, dotnet7.0, tigervnc, and xorg-x11-server), Red Hat (avahi and gstreamer1-plugins-bad-free), Slackware (bluez), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, cosign, curl, gstreamer-plugins-bad, haproxy, ImageMagick, kernel, kernel-firmware, libreoffice, tiff, [...]
---------------------------------------------
https://lwn.net/Articles/955336/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Unitronics Vision Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-15
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 13-12-2023 18:00 − Donnerstag 14-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Urteil des EuGH: Datenleck-Betroffene könnten doch Schadensersatz bekommen ∗∗∗
---------------------------------------------
Der Europäische Gerichtshof (EuGH) hat in einem neuen Urteil die Rechte der Betroffenen von Datenlecks gestärkt. Schon der Umstand, "dass eine betroffene Person infolge eines Verstoßes gegen die DSGVO befürchtet, dass ihre personenbezogenen Daten durch Dritte missbräuchlich verwendet werden könnten, kann einen 'immateriellen Schaden' darstellen", heißt es in dem Urteil, das am 14. Dezember 2023 veröffentlicht wurde.
---------------------------------------------
https://www.golem.de/news/urteil-des-eugh-datenleck-betroffene-koennten-doc…
∗∗∗ Reverse, Reveal, Recover: Windows Defender Quarantine Forensics ∗∗∗
---------------------------------------------
Windows Defender (the antivirus shipped with standard installations of Windows) places malicious files into quarantine upon detection. Reverse engineering mpengine.dll resulted in finding previously undocumented metadata in the Windows Defender quarantine folder that can be used for digital forensics and incident response. Existing scripts that extract quarantined files do not process this metadata, even though it could be useful for analysis. Fox-IT’s open-source digital forensics and incident response framework Dissect can now recover this metadata, in addition to recovering quarantined files from the Windows Defender quarantine folder.
---------------------------------------------
https://blog.fox-it.com/2023/12/14/reverse-reveal-recover-windows-defender-…
∗∗∗ Mobile Sicherheit. Handlungsempfehlungen und präventive Maßnahmen für die sichere Nutzung von mobilen Endgeräten, 2023 ∗∗∗
---------------------------------------------
Wie so oft stehen aber auch in diesem Bereich Komfort und Sicherheit in einem permanenten Spannungsverhältnis. Ein Mehr an Sicherheit für Ihr Gerät und Ihre Daten kann auf der anderen Seite bedeuten, dass einige durchaus praktische Funktionen nur mehr eingeschränkt oder gar nicht mehr zur Verfügung stehen. Letztlich liegt es an Ihnen, den für Sie bestmöglichen Kompromiss zwischen Funktion, Komfort, Sicherheit und Privatsphäre zu finden. Die vorliegende Broschüre möchte Ihnen dabei helfen.
---------------------------------------------
https://www.nis.gv.at/dam/jcr:8165f553-2769-4553-91c8-4b117c752f56/mobile_s…
∗∗∗ Ransomware: AlphV meldet sich zurück, Aufruhr in der Szene ∗∗∗
---------------------------------------------
In der Ransomware-Szene rumort es: Gruppen versuchen, einander Mitglieder abspenstig zu machen, ein Geldwäscher geht ins Netz und Betrüger betrügen einander.
---------------------------------------------
https://www.heise.de/-9574446
∗∗∗ Amazon-Händler:innen wollen über Telegram-Gruppen Bewertungen kaufen? Machen Sie nicht mit! ∗∗∗
---------------------------------------------
Auf Telegram gibt es Kanäle, die gratis Amazon-Produkte versprechen. Die Idee dahinter: Sie suchen sich ein Produkt aus, bestellen es über Ihren privaten Amazon-Account, schreiben eine 5-Sterne-Bewertung und bekommen als Dankeschön das Geld über PayPal zurückerstattet. Mit dieser Masche kaufen sich Marketplace-Händler:innen Bewertungen, um besser gerankt zu werden – eine nicht legale Praktik.
---------------------------------------------
https://www.watchlist-internet.at/news/amazon-haendlerinnen-wollen-ueber-te…
∗∗∗ Protecting the enterprise from dark web password leaks ∗∗∗
---------------------------------------------
The trade in compromised passwords in dark web markets is particularly damaging. Cybercriminals often exploit password leaks to access sensitive data, commit fraud or launch further attacks. Let’s explore the various ways passwords are leaked to the dark web and discuss strategies for using dark web data to protect your organization.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/protecting-the-ente…
∗∗∗ Rhadamanthys v0.5.0 – a deep dive into the stealer’s components ∗∗∗
---------------------------------------------
In this article we do a deep dive into the functionality and cooperation between the modules. The first part of the article describes the loading chain that is used to retrieve the package with the stealer components. In the second part, we take a closer look at those components, their structure, abilities, and implementation.
---------------------------------------------
https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-t…
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-23-1773: (0Day) Intel Driver & Support Assistant Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to escalate privileges on affected installations of Intel Driver & Support Assistant. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-1773/
∗∗∗ Paloalto released 7 Security Advisories ∗∗∗
---------------------------------------------
PAN-OS: CVE-2023-6790, CVE-2023-6791, CVE-2023-6794, CVE-2023-6792, CVE-2023-6795, CVE-2023-6793, CVE-2023-6789
---------------------------------------------
https://security.paloaltonetworks.com/
∗∗∗ Zoom behebt Sicherheitslücken unter Windows, Android und iOS ∗∗∗
---------------------------------------------
Durch ungenügende Zugriffskontrolle, Verschlüsselungsprobleme und Pfadmanipulation konnten Angreifer sich zusätzliche Rechte verschaffen.
---------------------------------------------
https://www.heise.de/-9574367
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and rabbitmq-server), Fedora (chromium, kernel, perl-CryptX, and python-jupyter-server), Mageia (curl), Oracle (curl and postgresql), Red Hat (gstreamer1-plugins-bad-free, linux-firmware, postgresql, postgresql:10, and postgresql:15), Slackware (xorg), SUSE (catatonit, containerd, runc, container-suseconnect, gimp, kernel, openvswitch, poppler, python-cryptography, python-Twisted, python3-cryptography, qemu, squid, tiff, webkit2gtk3, xorg-x11-server, and xwayland), and Ubuntu (xorg-server and xorg-server, xwayland).
---------------------------------------------
https://lwn.net/Articles/955130/
∗∗∗ Dell Urges Customers to Patch Vulnerabilities in PowerProtect Products ∗∗∗
---------------------------------------------
Dell is informing PowerProtect DD product customers about 8 vulnerabilities, including many rated ‘high severity’, and urging them to install patches.
---------------------------------------------
https://www.securityweek.com/dell-urges-customers-to-patch-vulnerabilities-…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023) ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2023/12/wordfence-intelligence-weekly-wordpr…
∗∗∗ Cambium ePMP 5GHz Force 300-25 Radio ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-01
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.0.0, 6.1.0, 6.1.1, and 6.2.0: SC-202312.1 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-44
∗∗∗ Johnson Controls Kantech Gen1 ioSmart ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 12-12-2023 18:00 − Mittwoch 13-12-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ FakeSG campaign, Akira ransomware and AMOS macOS stealer ∗∗∗
---------------------------------------------
In this report, we share our latest crimeware findings: FakeSG malware distribution campaign delivering NetSupport RAT, new Conti-like Akira ransomware and AMOS stealer for macOS.
---------------------------------------------
https://securelist.com/crimeware-report-fakesg-akira-amos/111483/
∗∗∗ Willhaben: Lassen Sie sich nicht auf WhatsApp und Co locken! ∗∗∗
---------------------------------------------
Wenn Sie auf willhaben über Kleinanzeigen Ware verkaufen oder kaufen wollen, dann sind Sie am besten vor Betrug geschützt, wenn Sie einige einfach Tipps beachten. Insbesondere sollten Sie sich aber nicht über den willhaben-Chat auf externe Kanäle leiten lassen.
---------------------------------------------
https://www.watchlist-internet.at/news/willhaben-lassen-sie-sich-nicht-auf-…
∗∗∗ A pernicious potpourri of Python packages in PyPI ∗∗∗
---------------------------------------------
The past year has seen over 10,000 downloads of malicious packages hosted on the official Python package repository
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python…
∗∗∗ Web shell on a SonicWall SMA ∗∗∗
---------------------------------------------
Truesec Cybersecurity Incident Response Team (CSIRT) found a compromised SonicWall Secure Mobile Access (SonicWall SMA) device on which a threat actor (TA) had deployed a web shell, a hiding mechanism, and a way to ensure persistence across firmware upgrades.
---------------------------------------------
https://www.truesec.com/hub/blog/web-shell-on-a-sonicwall-sma
∗∗∗ A Day In The Life Of A GreyNoise Researcher: The Path To Understanding The Remote Code Execution Vulnerability Apache (CVE-2023-50164) in Apache Struts2 ∗∗∗
---------------------------------------------
This weakness enables attackers to remotely drop and call a web shell through a public interface.
---------------------------------------------
https://www.greynoise.io/blog/a-day-in-the-life-of-a-greynoise-researcher-t…
∗∗∗ Responding to CitrixBleed (CVE-2023-4966): Key Takeaways from Affected Companies ∗∗∗
---------------------------------------------
This critical security flaw has had a significant impact across various industries in the United States, including credit unions and healthcare services, marking it as one of the most critical vulnerabilities of 2023. Its relatively straightforward buffer overflow exploitability has raised major concerns.
---------------------------------------------
https://blog.morphisec.com/responding-to-citrixbleed
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft: OAuth apps used to automate BEC and cryptomining attacks ∗∗∗
---------------------------------------------
Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-oauth-apps-used-to…
∗∗∗ Final Patch Tuesday of 2023 goes out with a bang ∗∗∗
---------------------------------------------
Microsoft fixed 36 flaws. Adobe addressed 212. Apple, Google, Cisco, VMware and Atlassian joined the party Its the last Patch Tuesday of 2023, which calls for celebration – just as soon as you update Windows, Adobe, Google, Cisco, FortiGuard, SAP, VMware, Atlassian and Apple products, of course.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/12/13/december_202…
∗∗∗ Patchday Microsoft: Outlook kann sich an Schadcode-E-Mail verschlucken ∗∗∗
---------------------------------------------
Microsoft hat wichtige Sicherheitsupdates für Azure, Defender & Co. veröffentlicht. Bislang soll es keine Attacken geben.
---------------------------------------------
https://www.heise.de/news/Patchday-Microsoft-Outlook-kann-sich-an-Schadcode…
∗∗∗ Patchday: Adobe schließt 185 Sicherheitslücken in Experience Manager ∗∗∗
---------------------------------------------
Angreifer können Systeme mit Anwendungen von Adobe ins Visier nehmen. Nun hat der Softwarehersteller Schwachstellen geschlossen.
---------------------------------------------
https://www.heise.de/news/Patchday-Adobe-Adobe-schliesst-185-Sicherheitslue…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (debian-security-support and xorg-server), Fedora (java-17-openjdk, libcmis, and libreoffice), Mageia (fish), Red Hat (buildah, containernetworking-plugins, curl, fence-agents, kernel, kpatch-patch, libxml2, pixman, podman, runc, skopeo, and tracker-miners), SUSE (kernel, SUSE Manager 4.3.10 Release Notes, and SUSE Manager Client Tools), and Ubuntu (gnome-control-center, linux-gcp, linux-kvm, linux-gkeop, linux-gkeop-5.15, linux-hwe-6.2, [...]
---------------------------------------------
https://lwn.net/Articles/954921/
∗∗∗ Mal wieder Apache Struts: CVE-2023-50164 ∗∗∗
---------------------------------------------
Wir haben in der Vergangenheit ernsthaft schlechte Erfahrungen mit Schwachstellen in der Apache Struts Library gemacht. Etwa mit CVE-2017-5638 oder CVE-2017-9805. Insbesondere komplexe Webseiten/Portal, oft von größeren Firmen, wurden öfters in Java entwickelt und waren für eine Massenexploitation anfällig. Daher haben wir die Veröffentlichung einer neuen Schwachstelle in Struts CVE-2023-50164 mit dem CVSS Score von 9.8 initial als besorgniserregend eingestuft.
---------------------------------------------
https://cert.at/de/aktuelles/2023/12/mal-wieder-apache-struts-cve-2023-50164
∗∗∗ Apache Struts Vulnerability Affecting Cisco Products: December 2023 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Atos Unify Security Advisories ∗∗∗
---------------------------------------------
https://unify.com/en/support/security-advisories
∗∗∗ Fortiguard Security Advisories ∗∗∗
---------------------------------------------
https://www.fortiguard.com/psirt
∗∗∗ Technical Advisory – Multiple Vulnerabilities in Nagios XI ∗∗∗
---------------------------------------------
https://research.nccgroup.com/2023/12/13/technical-advisory-multiple-vulner…
∗∗∗ VMSA-2023-0027 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0027.html
∗∗∗ Command injection vulnerability in Bosch IP Cameras ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-638184-bt.html
∗∗∗ Denial of Service vulnerability in Bosch BT software products ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-092656-bt.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily