=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 08-11-2023 18:00 − Donnerstag 09-11-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Highly invasive backdoor snuck into open source packages targets developers ∗∗∗
---------------------------------------------
Packages downloaded thousands of times targeted people working on sensitive projects.
---------------------------------------------
https://arstechnica.com/?p=1982281
∗∗∗ Google ads push malicious CPU-Z app from fake Windows news site ∗∗∗
---------------------------------------------
A threat actor has been abusing Google Ads to distribute a trojanized version of the CPU-Z tool to deliver the Redline info-stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-ads-push-malicious-cp…
∗∗∗ Visual Examples of Code Injection, (Thu, Nov 9th) ∗∗∗
---------------------------------------------
I spotted an interesting sample that perform this technique and I was able to collect “visible” information. The malware was delivered through a phishing email with a ZIP archive.
---------------------------------------------
https://isc.sans.edu/diary/rss/30388
∗∗∗ Google Play: Extra-Sicherheitsprüfungen sollen Apps vertrauenswürdiger machen ∗∗∗
---------------------------------------------
Ab sofort sind bestimmte Apps in Google Play mit einem neuen Banner gekennzeichnet, der mehr Sicherheit garantieren soll. Den Anfang machen einige VPN-Apps.
---------------------------------------------
https://www.heise.de/-9357280
∗∗∗ Spammers abuse Google Forms’ quiz to deliver scams ∗∗∗
---------------------------------------------
Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms.
---------------------------------------------
https://blog.talosintelligence.com/google-forms-quiz-spam/
∗∗∗ GhostLocker - A “Work In Progress” RaaS ∗∗∗
---------------------------------------------
GhostSec, has introduced a novel Ransom-as-a-Service encryptor known as GhostLocker.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/11/08/ghostlocker-a-work-in-progress-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cacti and chromium), Fedora (CuraEngine, podman, and rubygem-rmagick), Mageia (gnome-shell, openssl, and zlib), SUSE (salt), and Ubuntu (xrdp).
---------------------------------------------
https://lwn.net/Articles/950850/
∗∗∗ CVE-2023-3282 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine (Severity: MEDIUM) ∗∗∗
---------------------------------------------
This issue is applicable only to Cortex XSOAR engines installed through the shell method that are running on a Linux operating system.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-3282
∗∗∗ CVE-2023-47246: SysAid Zero-Day Vulnerability Exploited By Lace Tempest ∗∗∗
---------------------------------------------
A new zero-day vulnerability (CVE-2023-47246) in SysAid IT service management software is being exploited by the threat group responsible for the MOVEit Transfer attack in May 2023.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/11/09/etr-cve-2023-47246-sysaid-zero-…
∗∗∗ Drupal: GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-051
∗∗∗ Drupal: GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-050
∗∗∗ Weidmüller: WIBU Vulnerability in multiple Products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-032/
∗∗∗ Johnson Controls Quantum HD Unity ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01
∗∗∗ Hitachi Energy eSOMS ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-02
∗∗∗ IBM Security Guardium is affected by denial of service vulnerabilities (CVE-2023-3635, CVE-2023-28118) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7069238
∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in Apache Struts (CVE-2023-34149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7069237
∗∗∗ Vulnerabilities in Linux Kernel, Samba, Golang, Curl, and openssl can affect IBM Spectrum Protect Plus ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7069319
∗∗∗ A vulnerability in Samba affects IBM Storage Scale SMB protocol access method (CVE-2022-2127) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7070025
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 07-11-2023 18:00 − Mittwoch 08-11-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Example of Phishing Campaign Project File, (Wed, Nov 8th) ∗∗∗
---------------------------------------------
We all have a love and hate relation with emails. When newcomers on the Internet starts to get emails, they are so happy but their feeling changes quickly. Then, they hope to reduce the flood of emails received daily... Good luck! Of course, tools have been developed to organize marketing campaigns. From marketing to spam or phishing, there is only one step. Bad guys started to use the same programs for malicious purpose.
---------------------------------------------
https://isc.sans.edu/diary/rss/30384
∗∗∗ Researchers Uncover Undetectable Crypto Mining Technique on Azure Automation ∗∗∗
---------------------------------------------
Cybersecurity researchers have developed whats the first fully undetectable cloud-based cryptocurrency miner leveraging the Microsoft Azure Automation service without racking up any charges. Cybersecurity company SafeBreach said it discovered three different methods to run the miner, including one that can be executed on a victims environment without attracting any attention.
---------------------------------------------
https://thehackernews.com/2023/11/researchers-uncover-undetectable-crypto.h…
∗∗∗ Hunderte Experten warnen vor staatlichen Root-Zertifikaten ∗∗∗
---------------------------------------------
Bald sollen EU-Bürger sich auf grenzüberschreitende elektronische Dienste und Vertrauensstellen verlassen müssen. Experten schlagen Alarm.
---------------------------------------------
https://www.heise.de/-9355165.html
∗∗∗ Angebliches LinkedIn-Datenleck: Daten von Tätern konstruiert ∗∗∗
---------------------------------------------
Im digitalen Untergrund haben Kriminelle Daten aus einem angeblichen LinkedIn-Leck angeboten. Diese entpuppen sich als künstlich aufgebläht.
---------------------------------------------
https://www.heise.de/-9355976.html
∗∗∗ Tool Release: Magisk Module – Conscrypt Trust User Certs ∗∗∗
---------------------------------------------
Android 14 introduced a new feature which allows to remotely install CA certificates. This change implies that instead of using the /system/etc/security/cacerts directory to check the trusted CA’s, this new feature uses the com.android.conscrypt APEX module, and reads the certificates from the directory /apex/com.android.conscrypt/cacerts. Inspired by this blog post by Tim Perry, I decided to create a [...]
---------------------------------------------
https://research.nccgroup.com/2023/11/08/tool-release-magisk-module-conscry…
∗∗∗ Sumo Logic Urges Users to Change Credentials Due to Security Breach ∗∗∗
---------------------------------------------
Cloud monitoring and SIEM firm Sumo Logic is urging users to rotate credentials following the discovery of a security breach.
---------------------------------------------
https://www.securityweek.com/sumo-logic-urges-users-to-change-credentials-d…
∗∗∗ Vorsicht vor stark verbilligten Amazon-Schnäppchen ∗∗∗
---------------------------------------------
Man glaubt es kaum: Tablets, Smartphones oder Notebooks, die auf Amazon um die Hälfte billiger angeboten werden. Solche Schnäppchen entpuppen sich aber als Lockangebote, um Ihnen Geld zu stehlen. Wir zeigen Ihnen, wie diese Betrugsmasche funktioniert!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-stark-verbilligten-amaz…
∗∗∗ Vorsicht vor vermeintlichen Rechnungen der „Click Office World“ ∗∗∗
---------------------------------------------
Fake-Rechnungen sind nichts Neues in der Welt des Unternehmensbetrugs, aktuell scheinen Betrüger:innen jedoch wieder massenhaft solche Rechnungen zu versenden. So erhalten viele Unternehmen derzeit per Post englischsprachige Rechnungen von „CLICK OFFICE WORLD“, in denen eine 14-tägige Zahlungsfrist und ein Betrag von 955 Euro gefordert werden. Zahlen Sie nichts, es handelt sich um Betrug!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-vermeintlichen-rechnung…
∗∗∗ Warning Against Phobos Ransomware Distributed via Vulnerable RDP ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the active distribution of the Phobos ransomware. Phobos is a variant known for sharing technical and operational similarities with the Dharma and CrySis ransomware. These ransomware strains typically target externally exposed Remote Desktop Protocol (RDP) services with vulnerable securities as attack vectors.
---------------------------------------------
https://asec.ahnlab.com/en/58753/
∗∗∗ Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware ∗∗∗
---------------------------------------------
Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group.
---------------------------------------------
https://www.hackread.com/lazarus-bluenoroff-apt-macos-objcshellz-malware/
∗∗∗ A Balanced Approach: New Security Headers Grading Criteria ∗∗∗
---------------------------------------------
The Security Headers grading criteria is something that doesnt change often, but when it does, theres a good reason behind the change. In this blog, I will outline the new grading criteria and the reasons why weve made the change.
---------------------------------------------
https://scotthelme.co.uk/a-balanced-approach-new-security-headers-grading-c…
=====================
= Vulnerabilities =
=====================
∗∗∗ Patchday: Kritische System-Lücke bedroht Android 11, 12 und 13 ∗∗∗
---------------------------------------------
Google hat wichtige Sicherheitsupdates für verschiedene Android-Versionen veröffentlicht.
---------------------------------------------
https://www.heise.de/-9355953.html
∗∗∗ Malware-Schutz: Rechteausweitung in Trend Micros Apex One möglich ∗∗∗
---------------------------------------------
In Trend Micros Schutzsoftware Apex One können Angreifer Schwachstellen missbrauchen, um ihre Privilegien auszuweiten. Updates korrigieren das.
---------------------------------------------
https://www.heise.de/-9356484.html
∗∗∗ Webbrowser: Lücke mit hohem Risiko in Google Chrome geschlossen ∗∗∗
---------------------------------------------
Google schließt mit dem Update von Chrome eine hochriskante Sicherheitslücke, die Webseiten offenbar das Unterschieben von Schadcode ermöglicht.
---------------------------------------------
https://www.heise.de/-9355888.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python-urllib3 and tang), Fedora (chromium, mlpack, open-vm-tools, and salt), Red Hat (avahi, binutils, buildah, c-ares, cloud-init, containernetworking-plugins, cups, curl, dnsmasq, edk2, flatpak, frr, gdb, ghostscript, glib2, gmp, grafana, haproxy, httpd, mod_http2, java-21-openjdk, kernel, krb5, libfastjson, liblouis, libmicrohttpd, libpq, libqb, librabbitmq, LibRaw, libreoffice, libreswan, libssh, libtiff, libvirt, libX11, linux-firmware, mod_auth_openidc, ncurses, nghttp2, opensc, pcs, perl-CPAN, perl-HTTP-Tiny, podman, procps-ng, protobuf-c, python-cryptography, python-pip, python-tornado, python-wheel, python3.11, python3.11-pip, python3.9, qemu-kvm, qt5 stack, runc, samba, samba, evolution-mapi, openchange, shadow-utils, skopeo, squid, sysstat, tang, tomcat, toolbox, tpm2-tss, webkit2gtk3, wireshark, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), Slackware (sudo), SUSE (squid), and Ubuntu (python-urllib3).
---------------------------------------------
https://lwn.net/Articles/950694/
∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗
---------------------------------------------
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-29552 Service Location Protocol (SLP) Denial-of-Service Vulnerability
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/11/08/cisa-adds-one-known-expl…
∗∗∗ GE MiCOM S1 Agile ∗∗∗
---------------------------------------------
Successful exploitation of this vulnerability could allow an attacker to upload malicious files and achieve code execution.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-311-01
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 06-11-2023 18:00 − Dienstag 07-11-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Microsoft Authenticator now blocks suspicious MFA alerts by default ∗∗∗
---------------------------------------------
Microsoft has introduced a new protective feature in the Authenticator app to block notifications that appear suspicious based on specific checks performed during the account login stage.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-authenticator-now-…
∗∗∗ MacBook Pro M3 läuft unter Umständen noch mit altem macOS – Update nicht möglich ∗∗∗
---------------------------------------------
Auf manchem neuen MacBook Pro M3 läuft eine Version von macOS 13, die gravierende Sicherheitslücken hat. Sie lässt sich offenbar nicht direkt updaten.
---------------------------------------------
https://www.heise.de/-9355709
∗∗∗ New GootLoader Malware Variant Evades Detection and Spreads Rapidly ∗∗∗
---------------------------------------------
A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.
---------------------------------------------
https://thehackernews.com/2023/11/new-gootloader-malware-variant-evades.html
∗∗∗ Phishing With Dynamite ∗∗∗
---------------------------------------------
Token stealing is getting harder. Instead, stealing whole logged-in browser instances may be an easier and more generic approach. One attack, known as “browser-in-the-middle” (BitM), makes it possible to virtually place a user in front of our browser and request them to log in for us. One of my old work buddies referred to it as “phishing with dynamite” after using it on a few social engineering campaigns.
---------------------------------------------
https://posts.specterops.io/phishing-with-dynamite-7d33d8fac038
∗∗∗ D0nut encrypt me, I have a wife and no backups ∗∗∗
---------------------------------------------
Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. In case you missed it, last time we analysed an Incident Response engagement involving BlackCat Ransomware. In this instalment, we take a deeper dive into the D0nut extortion group.
---------------------------------------------
https://research.nccgroup.com/2023/11/06/d0nut-encrypt-me-i-have-a-wife-and…
∗∗∗ Post-exploiting a compromised etcd – Full control over the cluster and its nodes ∗∗∗
---------------------------------------------
When considering the attack surface in Kubernetes, we consider certain unauthenticated components, such as the kube-apiserver and kubelet, as well as leaked tokens or credentials that grant access to certain cluster features, and non-hardened containers that may provide access to the underlying host. However, when discussing etcd, it is often perceived solely as an information storage element within the cluster from which secrets can be extracted. However, etcd is much more than that.
---------------------------------------------
https://research.nccgroup.com/2023/11/07/post-exploiting-a-compromised-etcd…
∗∗∗ Generating IDA Type Information Libraries from Windows Type Libraries ∗∗∗
---------------------------------------------
In this quick-post, well explore how to convert Windows type libraries (TLB) into IDA type information libraries (TIL).
---------------------------------------------
https://blog.nviso.eu/2023/11/07/generating-ida-type-information-libraries-…
∗∗∗ CISA Published When to Issue VEX Information ∗∗∗
---------------------------------------------
This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/11/06/cisa-published-when-issu…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdates: Zwei kritische Lücken bedrohen Monitoringtool Veeam One ∗∗∗
---------------------------------------------
Die Entwickler haben in Veeam One unter anderem zwei kritische Schwachstellen geschlossen. Im schlimmsten Fall kann Schadcode auf Systeme gelangen.
---------------------------------------------
https://www.heise.de/-9354987
∗∗∗ WS_FTP Server Arbitrary File Upload CVE-2023-42659 - (CRITICAL) ∗∗∗
---------------------------------------------
In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application.
---------------------------------------------
https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-Novembe…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (trapperkeeper-webserver-jetty9-clojure), Mageia (libsndfile, packages, thunderbird, and x11-server), Oracle (.NET 6.0), SUSE (kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, redis, and squid), and Ubuntu (gsl).
---------------------------------------------
https://lwn.net/Articles/950523/
∗∗∗ 37 Vulnerabilities Patched in Android With November 2023 Security Updates ∗∗∗
---------------------------------------------
The Android security updates released this week resolve 37 vulnerabilities, including a critical information disclosure bug.
---------------------------------------------
https://www.securityweek.com/37-vulnerabilities-patched-in-android-with-nov…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ GE MiCOM S1 Agile ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-311-23
∗∗∗ Zyxel security advisory for improper privilege management vulnerability in GS1900 series switches ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 03-11-2023 18:00 − Montag 06-11-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Microsoft Exchange: Vier 0-day-Schwachstellen ermöglichen RCE-Angriffe und Datenklau ∗∗∗
---------------------------------------------
Die Zero Day Initiative (ZDI) von Trend Micro hat gerade vier ungepatchte Schwachstellen (sogenannte 0-Days) in Microsoft Exchange öffentlich gemacht. Diese wurden im September 2023 an Microsoft gemeldet und ZDI stuft die mit CVSS-Scores von 7.1 bis 7.5 ein. Microsofts Sicherheitsexperten sehen die Schwachstellen als nicht so schwerwiegend an, dass diese ein sofortiges Handeln erfordern (zur Ausnutzung sei eine Authentifizierung erforderlich). Die Microsoft-Entwickler haben Fixes "für später" angekündigt. Daher ist die Zero Day Initiative an die Öffentlichkeit gegangen, da man trotzdem die Möglichkeit für RCE-Angriffe und Datenklau sieht.
---------------------------------------------
https://www.borncity.com/blog/2023/11/04/microsoft-exchange-vier-0-day-schw…
∗∗∗ Sicherheitsupdates QNAP: Angreifer können eigene Befehle auf NAS ausführen ∗∗∗
---------------------------------------------
Wichtige Sicherheitspatches sichern Netzwerkspeicher von QNAP ab. Unbefugte können Daten einsehen.
---------------------------------------------
https://www.heise.de/-9354109.html
∗∗∗ E-Mail von A1 mit einer Rechnung über € 289,60 ist Fake ∗∗∗
---------------------------------------------
Aktuell werden A1-Kund:innen mit einer gefälschten Rechnung über € 289,60 verunsichert. Im E-Mail – angeblich von A1 – steht, dass der Rechnungsbetrag „heute“ von Ihrem Bankkonto bzw. Ihrer Kreditkarte abgebucht wird. Im Anhang finden Sie die Infos zu Ihrer Rechnung. Wenn Sie auf den Anhang klicken, werden Sie auf eine gefälschte Login-Seite geführt. Kriminelle stehlen damit Ihre Zugangs- und Bankdaten!
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-von-a1-mit-einer-rechnung-ueb…
∗∗∗ Socks5Systemz proxy service infects 10,000 systems worldwide ∗∗∗
---------------------------------------------
A proxy botnet called Socks5Systemz has been infecting computers worldwide via the PrivateLoader and Amadey malware loaders, currently counting 10,000 infected devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/socks5systemz-proxy-service-…
∗∗∗ Cybercrime service bypasses Android security to install malware ∗∗∗
---------------------------------------------
A new dropper-as-a-service (DaaS) named SecuriDropper has emerged, using a method that bypasses Android 13s Restricted Settings to install malware on devices and grant them access to the Accessibility Services.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cybercrime-service-bypasses-…
∗∗∗ TellYouThePass ransomware joins Apache ActiveMQ RCE attacks ∗∗∗
---------------------------------------------
Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution (RCE) vulnerability previously exploited as a zero-day.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-jo…
∗∗∗ Gaming-related cyberthreats in 2023: Minecrafters targeted the most ∗∗∗
---------------------------------------------
Gaming-related threat landscape in 2023: desktop and mobile malware disguised as Minecraft, Roblox and other popular games, and the most widespread phishing schemes.
---------------------------------------------
https://securelist.com/game-related-threat-report-2023/110960/
∗∗∗ Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel ∗∗∗
---------------------------------------------
Google is warning of multiple threat actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure. The tool, called Google Calendar RAT (GCR), employs Google Calendar Events for C2 using a Gmail account. It was first published to GitHub in June 2023.
---------------------------------------------
https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.h…
∗∗∗ Persistence – Windows Telemetry ∗∗∗
---------------------------------------------
Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems [...] TrustedSec has identified that it is feasible to abuse the Windows telemetry mechanism for persistence during red team operations if elevated access has been achieved.
---------------------------------------------
https://pentestlab.blog/2023/11/06/persistence-windows-telemetry/
∗∗∗ What is Classiscam Scam-as-a-Service? ∗∗∗
---------------------------------------------
"The Classiscam scam-as-a-service operation has broadened its reach worldwide, targeting many more brands, countries, and industries, causing more significant financial damage than before,” touts Bleeping Computer. So just what is it? What is Classiscam? It’s a bird. It’s a plane. It’s - a pyramid? Classiscam is an enterprising criminal operation that uses a division of labor to organize low-level phishers into classified site scammers and takes a cut off the top.
---------------------------------------------
https://www.tripwire.com/state-of-security/what-classiscam-scam-service
∗∗∗ Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518 ∗∗∗
---------------------------------------------
As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at least some of the exploits are targeting CVE-2023-22518.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitatio…
∗∗∗ Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II ∗∗∗
---------------------------------------------
Based on our previous research, we also discovered Pre-auth RCE vulnerabilities((CVE-2023-0853、CVE-2023-0854) in other models of Canon printers. For the HP vulnerability, we had a collision with another team. In this section, we will detail the Canon and HP vulnerabilities we exploited during Pwn2own Toronto.
---------------------------------------------
https://devco.re/blog/2023/11/06/your-printer-is-not-your-printer-hacking-p…
∗∗∗ Provocative Facebook Ads Leveraged to Deliver NodeStealer Malware ∗∗∗
---------------------------------------------
Beware of Provocative Facebook Ads, Warn Researchers!
---------------------------------------------
https://www.hackread.com/provocative-facebook-ads-nodestealer-malware/
∗∗∗ Scanning KBOM for Vulnerabilities with Trivy ∗∗∗
---------------------------------------------
Early this summer we announced the release of Kubernetes Bills of Material (KBOM) as part of Trivy, our all in one, popular open source security scanner. In the blog we discussed how KBOM is the manifest of all the important components that make up your Kubernetes cluster: Control plane components, Node Components, and Addons, including their versions and images.
---------------------------------------------
https://blog.aquasec.com/scanning-kbom-for-vulnerabilities-with-trivy
∗∗∗ Security updates 1.6.5 and 1.5.6 released ∗∗∗
---------------------------------------------
We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They all contain a fix for recently reported security vulnerability. [...] We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.
---------------------------------------------
https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, open-vm-tools, openjdk-17, pmix, and trafficserver), Fedora (netconsd, podman, suricata, and usd), Oracle (.NET 6.0, .NET 7.0, binutils, ghostscript, java-1.8.0-openjdk, kernel, and squid), SUSE (apache-ivy, gstreamer-plugins-bad, kernel, nodejs12, opera, poppler, rubygem-activesupport-5.2, tiff, util-linux, and virtualbox), and Ubuntu (krb5).
---------------------------------------------
https://lwn.net/Articles/950413/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 02-11-2023 18:00 − Freitag 03-11-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ New macOS KandyKorn malware targets cryptocurrency engineers ∗∗∗
---------------------------------------------
A new macOS malware dubbed KandyKorn has been spotted in a campaign attributed to the North Korean Lazarus hacking group, targeting blockchain engineers of a cryptocurrency exchange platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-macos-kandykorn-malware-…
∗∗∗ Atlassian warns of exploit for Confluence data wiping bug, get patching ∗∗∗
---------------------------------------------
Atlassian warned admins that a public exploit is now available for a critical Confluence security flaw that can be used in data destruction attacks targeting Internet-exposed and unpatched instances.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/atlassian-warns-of-exploit-f…
∗∗∗ Spyware Designed for Telegram Mods Also Targets WhatsApp Add-Ons ∗∗∗
---------------------------------------------
Researchers discovered spyware designed to steal from Android devices and from Telegram mods can also reach WhatsApp users.
---------------------------------------------
https://www.darkreading.com/dr-global/spyware-designed-for-telegram-mods-al…
∗∗∗ Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments ∗∗∗
---------------------------------------------
The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a "new experimental campaign" designed to breach cloud environments.
---------------------------------------------
https://thehackernews.com/2023/11/kinsing-actors-exploit-linux-flaw-to.html
∗∗∗ 48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems ∗∗∗
---------------------------------------------
A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.
---------------------------------------------
https://thehackernews.com/2023/11/48-malicious-npm-packages-found.html
∗∗∗ Prioritising Vulnerabilities Remedial Actions at Scale with EPSS ∗∗∗
---------------------------------------------
In this article, I’m presenting the Exploit Prediction Scoring System and its practical use cases in tandem with Common Vulnerability Scoring System.
---------------------------------------------
https://itnext.io/prioritising-vulnerabilities-remedial-actions-at-scale-wi…
∗∗∗ Einstufung von Sicherheitslücken: Der CVSS-4.0-Standard ist da ∗∗∗
---------------------------------------------
Von niedrig bis kritisch: Das Common Vulnerability Scoring System (CVSS) hat einen Versionssprung vollzogen.
---------------------------------------------
https://www.heise.de/-9352555
∗∗∗ Apples "Wo ist": Keylogger-Tastatur nutzt Ortungsnetz zum Passwortversand ∗∗∗
---------------------------------------------
Eigentlich soll es helfen, verlorene Dinge aufzuspüren. Unsere Keylogger-Tastatur nutzt Apples "Wo ist"-Ortungsnetz jedoch zum Ausschleusen von Daten.
---------------------------------------------
https://www.heise.de/-9342791
∗∗∗ Lücke in VMware ONE UEM ermöglicht Login-Klau ∗∗∗
---------------------------------------------
Durch eine unsichere Weiterleitung können Angreifer SAML-Tokens angemeldeter Nutzer klauen und deren Zugänge übernehmen. VMware stellt Updates bereit.
---------------------------------------------
https://www.heise.de/-9352599
∗∗∗ Should you allow your browser to remember your passwords? ∗∗∗
---------------------------------------------
It’s very convenient to store your passwords in your browser. But is it a good idea?
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/11/should-you-allow-your-browse…
∗∗∗ You’d be surprised to know what devices are still using Windows CE ∗∗∗
---------------------------------------------
Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week. This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime.
---------------------------------------------
https://blog.talosintelligence.com/threat-source-newsletter-nov-2-2023/
=====================
= Vulnerabilities =
=====================
∗∗∗ QNAP Security Advisories 2023-11-04 ∗∗∗
---------------------------------------------
QNAP released 4 new security advisories (2x Critical, 2x Medium). Music Station, QTS, QuTS hero, QuTScloud, Multimedia Console and Media Streaming add-on.
---------------------------------------------
https://www.qnap.com/en-us/security-advisories
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (phppgadmin and vlc), Fedora (attract-mode, chromium, and netconsd), Red Hat (.NET 7.0, c-ares, curl, ghostscript, insights-client, python, squid, and squid:4), SUSE (kernel and roundcubemail), and Ubuntu (libsndfile).
---------------------------------------------
https://lwn.net/Articles/950061/
∗∗∗ Vulnerability in IBM SDK, Java Technology Edition may affect IBM Operations Analytics Predictive Insights ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7066311
∗∗∗ Multiple security vulnerabilities in Go may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7066400
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 31-10-2023 18:00 − Donnerstag 02-11-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ New CVSS 4.0 vulnerability severity rating standard released ∗∗∗
---------------------------------------------
The Forum of Incident Response and Security Teams (FIRST) has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-cvss-40-vulnerability-se…
∗∗∗ Nur zwei wurden gepatcht: Schwachstellen in 34 Treibern gefährden Windows-Systeme ∗∗∗
---------------------------------------------
Sicherheitsforscher der VMware Threat Analysis Unit (Tau) haben Schwachstellen in insgesamt 34 verschiedenen Windows-Gerätetreibern identifiziert. Böswillige Akteure können Firmwares gezielt manipulieren und sich auf Zielsystemen höhere Rechte verschaffen. "Alle Treiber geben Nicht-Admin-Benutzern volle Kontrolle über die Geräte", erklären die Forscher in ihrem Bericht.
---------------------------------------------
https://www.golem.de/news/nur-zwei-wurden-gepatcht-schwachstellen-in-34-tre…
∗∗∗ Windows 11, version 23H2 security baseline ∗∗∗
---------------------------------------------
This release includes several changes to further assist in the security of enterprise customers. Changes have been made to provide additional protections to the local admin account, Microsoft Defender Antivirus updates, and a new setting in response to an MSRC bulletin.
---------------------------------------------
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows…
∗∗∗ Moderne Telefonbetrüger: Wie Betrüger Geld mit nur einem Telefonanruf stehlen ∗∗∗
---------------------------------------------
In diesem Blogbeitrag wird eine Schwachstelle in einer Bankanwendung beschrieben, die es Angreifern ermöglicht, unbemerkt Geldtransaktionen von bis zu 5.000 € im Namen anderer Benutzer durchzuführen. Darüber hinaus werden weitere mögliche Angriffsszenarien beschrieben, mit denen persönliche Informationen abgegriffen werden können.
---------------------------------------------
https://sec-consult.com/de/blog/detail/moderne-telefonbetrueger-wie-betrueg…
∗∗∗ Jetzt patchen! Attacken auf BIG-IP-Appliances beobachtet ∗∗∗
---------------------------------------------
F5 warnt vor Angriffen auf BIG-IP-Appliances. Sicherheitspatches stehen bereit. Eine Lücke gilt als kritisch.
---------------------------------------------
https://www.heise.de/-9350108
∗∗∗ Sicherheitslücken: Angreifer können Cisco-Firewalls manipulieren ∗∗∗
---------------------------------------------
Mehrere Schwachstellen gefährden unter anderem Cisco Firepower und Identity Services Engine. Patches sind verfügbar.
---------------------------------------------
https://www.heise.de/-9351087
∗∗∗ MITRE ATT&CK v14 released ∗∗∗
---------------------------------------------
MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. MITRE ATT&CK v14 ATT&CK’s goal is to catalog and categorize behaviors of cyber adversaries in real-world attacks.
---------------------------------------------
https://www.helpnetsecurity.com/2023/11/02/mitre-attck-v14/
∗∗∗ Unveiling the Dark Side: A Deep Dive into Active Ransomware Families ∗∗∗
---------------------------------------------
This series will focus on TTP’s deployed by four ransomware families recently observed during NCC Group’s incident response engagements.
---------------------------------------------
https://research.nccgroup.com/2023/10/31/unveiling-the-dark-side-a-deep-div…
∗∗∗ Wer hat Mozi getötet? IoT-Zombie-Botnetz wurde endlich zu Grabe tragen ∗∗∗
---------------------------------------------
Wie ESET Research einen Kill-Switch gefunden hat, der dazu benutzt wurde, eines der am weitesten verbreiteten Botnets auszuschalten.
---------------------------------------------
https://www.welivesecurity.com/de/eset-research/wer-hat-mozi-getotet-iot-zo…
∗∗∗ Kostenlose Webinar-Reihe „Schutz im Internet“ ∗∗∗
---------------------------------------------
In Kooperation mit der Arbeiterkammer Oberösterreich veranstaltet das ÖIAT (Österreichisches Institut für angewandte Telekommunikation) eine kostenlose Webinar-Reihe zu Themen wie Online-Shopping, Internet-Betrug und Identitätsdiebstahl!
---------------------------------------------
https://www.watchlist-internet.at/news/kostenlose-webinar-reihe-schutz-im-i…
∗∗∗ Drupal 9 is end of life - PSA-2023-11-01 ∗∗∗
---------------------------------------------
Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9.
---------------------------------------------
https://www.drupal.org/psa-2023-11-01
∗∗∗ Warning Against Infostealer Infections Upon Executing Legitimate EXE Files (DLL Hijacking) ∗∗∗
---------------------------------------------
Caution is advised as an Infostealer that prompts the execution of legitimate EXE files is actively being distributed. The threat actor is distributing a legitimate EXE file with a valid signature and a malicious DLL compressed in the same directory. The EXE file itself is legitimate, but when executed in the same directory as the malicious DLL, it automatically runs that malicious DLL. This technique is called DLL hijacking and is often used in the distribution of malware.
---------------------------------------------
https://asec.ahnlab.com/en/58319/
∗∗∗ Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox” ∗∗∗
---------------------------------------------
Where there is a potential for profit there are also people trying to scam others. “Roblox” users can be targeted by scammers (known as “beamers” by “Roblox” players) who attempt to steal valuable items or Robux from other players. This can sometimes be made easier for the scammers because of “Roblox's” young user base. Nearly half of the game’s 65 million users are under the age of 13 who may not be as adept at spotting scams.
---------------------------------------------
https://blog.talosintelligence.com/roblox-scam-overview/
∗∗∗ Suspected Exploitation of Apache ActiveMQ CVE-2023-46604 ∗∗∗
---------------------------------------------
Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-a…
=====================
= Vulnerabilities =
=====================
∗∗∗ Unpatched Powerful SSRF in Exchange OWA – Getting Response Through Attachments ∗∗∗
---------------------------------------------
As the attacker can abuse this SSRF to retrieve the content of the response, I thought it was a good finding. However, Microsoft did not agree [...] In short: this may get fixed or it may not. If they decide to fix it, the patch may appear in 1 year or in 3 years. In general, we know nothing. Accordingly, we informed Microsoft of our intention to publish this vulnerability as a 0-day advisory and a blog post. As we consider this issue potentially dangerous, we want organizations to be aware of the threat. For this reason, we are providing a PoC HTTP Request to be used for filtering and/or monitoring.
---------------------------------------------
https://www.thezdi.com/blog/2023/11/1/unpatched-powerful-ssrf-in-exchange-o…
∗∗∗ Cisco Security Advisories ∗∗∗
---------------------------------------------
Cisco has released 24 new and 4 updated Security Advisories (2x Critical, 11x High, 15x Medium)
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs…
∗∗∗ Critical PHPFox RCE Vulnerability Risked Social Networks ∗∗∗
---------------------------------------------
Heads up, phpFox users! A critical remote code execution vulnerability existed in the phpFox service that allowed community takeovers [...] The researcher urged all phpFox users to update to the latest phpFox release (version 4.8.14 or later) to receive the security fix.
---------------------------------------------
https://latesthackingnews.com/2023/10/30/critical-phpfox-rce-vulnerability-…
∗∗∗ Webbrowser: Google Chrome bessert 15 Schwachstellen aus und kann HTTPS-Upgrades ∗∗∗
---------------------------------------------
Google hat den Webbrowser Chrome in Version 119 veröffentlicht. Sie schließt 15 Sicherheitslücken und etabliert den HTTPS-Upgrade-Mechanismus.
---------------------------------------------
https://www.heise.de/-9349956
∗∗∗ Sicherheitsupdates Nvidia: GeForce-Treiberlücken gefährden PCs ∗∗∗
---------------------------------------------
Nvidias Entwickler haben im Grafikkartentreiber und der VGPU-Software mehrere Sicherheitslücken geschlossen.
---------------------------------------------
https://www.heise.de/-9351600
∗∗∗ Solarwinds Platform 2023.4 schließt Codeschmuggel-Lücken ∗∗∗
---------------------------------------------
Solarwinds hat das Platform-Update auf Version 2023.4 veröffentlicht. Neben diversen Fehlerkorrekturen schließt es auch Sicherheitslücken.
---------------------------------------------
https://www.heise.de/-9351584
∗∗∗ VMSA-2023-0025 ∗∗∗
---------------------------------------------
An open redirect vulnerability in VMware Workspace ONE UEM console was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products. (CVE-2023-20886)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0025.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (h2o, open-vm-tools, pmix, and zookeeper), Gentoo (GitPython), Oracle (firefox, java-11-openjdk, java-17-openjdk, libguestfs-winsupport, nginx:1.22, and thunderbird), Red Hat (samba), SUSE (container-suseconnect, libsndfile, and slurm), and Ubuntu (krb5, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-laptop, linux-nvidia-6.2, linux-oem-6.1, linux-raspi, open-vm-tools, and xorg-server).
---------------------------------------------
https://lwn.net/Articles/949612/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Gentoo (Netatalk), Oracle (firefox), Red Hat (.NET 6.0, .NET 6.0, .NET 7.0, binutils, and qemu-kvm), SUSE (gcc13, tomcat, and xorg-x11-server), and Ubuntu (axis, libvpx, linux-starfive, thunderbird, and xrdp).
---------------------------------------------
https://lwn.net/Articles/949820/
∗∗∗ [R1] Nessus Version 10.5.6 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-36
∗∗∗ [R1] Nessus Agent Version 10.4.3 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-38
∗∗∗ [R1] Nessus Version 10.6.2 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-37
∗∗∗ Drupal: Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-049
∗∗∗ Open Exchange: 2023-08-01: OXAS-ADV-2023-0004 ∗∗∗
---------------------------------------------
https://documentation.open-xchange.com/security/advisories/txt/oxas-adv-202…
∗∗∗ IBM Security Bulletin ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Weintek EasyBuilder Pro ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-05
∗∗∗ Schneider Electric SpaceLogic C-Bus Toolkit ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-06
∗∗∗ Franklin Fueling System TS-550 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-04
∗∗∗ Red Lion Crimson ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-01
∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02
∗∗∗ Mitsubishi Electric MELSEC Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 30-10-2023 18:00 − Dienstag 31-10-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ CVE-2023-4966 in Citrix NetScaler ADC und NetScaler Gateway wurde bereits als 0-day ausgenutzt ∗∗∗
---------------------------------------------
Uns wurde inzwischen von drei Organisationen in Österreich berichtet, dass Angreifer aufgrund der Sicherheitslücke im Citrix Server in ihren Systemen aktiv geworden sind, bevor Patches von Citrix verfügbar waren. Es wurden Befehle zur Erkundung des Systems und erste Schritte in Richtung lateral Movement beobachtet. Wir gehen inzwischen von einer weitläufigen Ausnutzung dieses 0-days aus.
---------------------------------------------
https://cert.at/de/aktuelles/2023/10/cve-2023-4966-0day
∗∗∗ Exploit für Cisco IOS XE veröffentlicht, Infektionszahlen weiter hoch ∗∗∗
---------------------------------------------
Sicherheitsforscher haben den Exploit für Cisco IOS XE untersucht und seinen simplen Trick aufgedeckt. Hunderte Geräte mit Hintertür sind noch online.
---------------------------------------------
https://www.heise.de/-9349296
∗∗∗ Multiple Layers of Anti-Sandboxing Techniques, (Tue, Oct 31st) ∗∗∗
---------------------------------------------
It has been a while that I did not find an interesting malicious Python script. All the scripts that I recently spotted were always the same: a classic intostealer using Discord as C2 channel. Today I found one that contains a lot of anti-sanboxing techniques. Let's review them. For malware, it's key to detect the environment where they are executed. When detonated inside a sandbox (automatically or, manually, by an Analyst), they will be able to change their behaviour (most likely, do nothing).
---------------------------------------------
https://isc.sans.edu/diary/rss/30362
∗∗∗ Malicious NuGet Packages Caught Distributing SeroXen RAT Malware ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment.
---------------------------------------------
https://thehackernews.com/2023/10/malicious-nuget-packages-caught.html
∗∗∗ LDAP authentication in Active Directory environments ∗∗∗
---------------------------------------------
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post introduces them through the lens of Python libraries.
---------------------------------------------
https://offsec.almond.consulting/ldap-authentication-in-active-directory-en…
∗∗∗ Programmiersprache: End of Life für PHP 8.0 und Neues für PHP 8.3 ∗∗∗
---------------------------------------------
Die kommende Version 8.3 der Programmiersprache PHP hält einige Neuerungen bereit, und PHP 8.0 nähert sich dem Supportende.
---------------------------------------------
https://www.heise.de/-9348772
∗∗∗ Verkaufen auf etsy: Vorsicht vor betrügerischen Anfragen ∗∗∗
---------------------------------------------
Auf allen gängigen Verkaufsplattformen tummeln sich Kriminelle. Sie nehmen vor allem neue Nutzer:innen ins Visier, die die Abläufe noch nicht kennen. Wir zeigen Ihnen, wie Sie betrügerische Anfragen erkennen und sicher verkaufen!
---------------------------------------------
https://www.watchlist-internet.at/news/verkaufen-auf-etsy-vorsicht-vor-betr…
∗∗∗ Lateral Movement: Abuse the Power of DCOM Excel Application ∗∗∗
---------------------------------------------
In this post, we will talk about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed component object model (DCOM) Excel application. This technique is built upon Matt Nelson’s initial research on “Lateral Movement using Excel.Application and DCOM”.
---------------------------------------------
https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-…
∗∗∗ Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla) ∗∗∗
---------------------------------------------
While tracking the evolution of Pensive Ursa (aka Turla, Uroburos), Unit 42 researchers came across a new, upgraded variant of Kazuar. Not only is Kazuar another name for the enormous and dangerous cassowary bird, Kazuar is an advanced and stealthy .NET backdoor that Pensive Ursa usually uses as a second stage payload.
---------------------------------------------
https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backd…
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücke in Confluence Data Center und Confluence Server ∗∗∗
---------------------------------------------
In allen Versionen von Confluence Data Center und Confluence Server existiert eine kritische Sicherheitslücke (CVE-2023-22518 CVSS: 9.1). Das Ausnutzen der Sicherheitslücke auf betroffenen Geräten ermöglicht nicht authentifizierten Angreifern den Zugriff auf interne Daten des Systems. Obwohl Atlassian bislang keine Informationen zur aktiven Ausnutzung der Lücke hat, wird das zeitnahe Einspielen der verfügbaren Patches empfohlen.
---------------------------------------------
https://cert.at/de/warnungen/2023/10/confluence-cve-2023-22518
∗∗∗ RCE exploit for Wyze Cam v3 publicly released, patch now ∗∗∗
---------------------------------------------
A security researcher has published a proof-of-concept (PoC) exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices [...] Wyze released firmware update version 4.36.11.7071, which addresses the identified issues, on October 22, 2023, so users are recommended to apply the security update as soon as possible.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/rce-exploit-for-wyze-cam-v3-…
∗∗∗ Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets ∗∗∗
---------------------------------------------
Three unpatched high-severity bugs in the NGINX ingress controller can be abused by miscreants to steal credentials and other secrets from Kubernetes clusters. The vulnerabilities, tracked as CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886, were disclosed on October 27, and are listed as currently awaiting triage. It's unclear if any of the flaws have been exploited.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/10/30/unpatched_ng…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (jetty9, node-browserify-sign, request-tracker4, and request-tracker5), Fedora (golang-github-altree-bigfloat, golang-github-seancfoley-bintree, golang-github-seancfoley-ipaddress, kitty, slurm, and thunderbird), Gentoo (ConnMan, libxslt, and Salt), Mageia (chromium-browser-stable), Red Hat (firefox, libguestfs-winsupport, and thunderbird), SUSE (clamav, gcc13, gstreamer-plugins-bad, icu73_2, java-17-openjdk, nodejs10, poppler, python-Werkzeug, redis, thunderbird, webkit2gtk3, xorg-x11-server, and xwayland), and Ubuntu (kernel, linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, linux-iot, linux-raspi, linux-raspi-5.4, and mysql-8.0).
---------------------------------------------
https://lwn.net/Articles/949391/
∗∗∗ FujiFilm printer credentials encryption issue fixed ∗∗∗
---------------------------------------------
Many multi-function printers made by FujiFilm Business Innovation Corporation (Fujifilm) which includes Apeos, ApeosPro, PrimeLink and RevoriaPress brands as well as Xerox Corporation (Xerox) which includes VersaLink, PrimeLink, and WorkCentre brands, allow administrators to store credentials on them to allow users to upload scans and other files to FTP and SMB file servers. With the default configuration of these printers, it’s possible to retrieve these credentials in an encrypted format without authenticating to the printer. A vulnerability in the encryption process of these credentials means that you can decrypt them with responses from the web interface. This has been given the ID CVE-2023-46327.
---------------------------------------------
https://www.pentestpartners.com/security-blog/fujifilm-printer-credentials-…
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.0.0, 6.1.0, 6.1.1, and 6.2.0: SC-202310.1 ∗∗∗
---------------------------------------------
TNS-2023-35 / Critical
9.8 / 8.8 (CVE-2023-38545),
3.7 / 3.4 (CVE-2023-38546)
---------------------------------------------
https://www.tenable.com/security/tns-2023-35
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ INEA ME RTU ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-02
∗∗∗ Zavio IP Camera ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-03
∗∗∗ Sonicwall: TunnelCrack Vulnerabilities ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0015
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 27-10-2023 18:00 − Montag 30-10-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Flying under the Radar: The Privacy Impact of multicast DNS, (Mon, Oct 30th) ∗∗∗
---------------------------------------------
The recent patch to iOS/macOS for CVE-2023-42846 made me think it is probably time to write up a reminder about the privacy impact of UPNP and multicast DNS. This is not a new issue, but it appears to have been forgotten a bit [vuln]. In particular, Apple devices are well-known for their verbose multicast DNS messages.
---------------------------------------------
https://isc.sans.edu/diary/rss/30358
∗∗∗ Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware ∗∗∗
---------------------------------------------
A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE.
---------------------------------------------
https://thehackernews.com/2023/10/hackers-using-msix-app-packages-to.html
∗∗∗ Turning a boring file move into a privilege escalation on Mac ∗∗∗
---------------------------------------------
Hopefully other people find this trick useful, beyond just Parallels. You can find the code for this exploit on my GitHub [...] 2023-07-06 - fix released in version 18.3.2.
---------------------------------------------
https://pwn.win/2023/10/28/file-move-privesc-mac.html
∗∗∗ citrix-logchecker - Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation ∗∗∗
---------------------------------------------
CERT.at stellt via Github ein Skript zur Verfügung, welches genutzt werden kann, um Citrix-Logs nach potenziell übernommenen Sessions zu durchsuchen. Sollten auffällige Sessions gefunden werden, wird eine tiefergehende Analyse empfohlen.
---------------------------------------------
https://github.com/certat/citrix-logchecker
∗∗∗ NATO und Behörden von kritischer Lücke in Lernplattform ILIAS betroffen ∗∗∗
---------------------------------------------
Gleich drei Sicherheitslücken in der Open-Source-Lernplattform ILIAS erlauben Codeschmuggel. Der Hersteller stellt eine aktualisierte Version bereit.
---------------------------------------------
https://www.heise.de/-9344057.html
∗∗∗ Forscher: Sicherheitslücken beim Roaming bleiben auch bei 5G eine große Gefahr ∗∗∗
---------------------------------------------
Mobilfunker und Regulierer unternehmen laut einem Bericht des Citizen Lab zu wenig, um Sicherheitsschwächen der Roaming- und Abrechnungsprotokolle auszumerzen.
---------------------------------------------
https://www.heise.de/-9347577.html
∗∗∗ F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747) ∗∗∗
---------------------------------------------
F5 Networks has released hotfixes for three vulnerabilities affecting its BIG-IP multi-purpose networking devices/modules, including a critical authentication bypass vulnerability (CVE-2023-46747) that could lead to unauthenticated remote code execution (RCE). About CVE-2023-46747 Discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security, CVE-2023-46747 is a request smuggling bug in the Apache JServ Protocol (AJP) used by the vulnerable devices. [...] Praetorian has updated their blog post to include all the technical details, since Project Discovery has created a Nuclei template with the full CVE-2023-46747 attack chain.
---------------------------------------------
https://www.helpnetsecurity.com/2023/10/30/cve-2023-46747/
∗∗∗ Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack ∗∗∗
---------------------------------------------
Researchers document the Wiki-Slack attack, a new technique that uses modified Wikipedia pages to target end users on Slack.
---------------------------------------------
https://www.securityweek.com/attackers-can-use-modified-wikipedia-pages-to-…
∗∗∗ Vorsicht vor Fake-Shops mit günstigen Lebensmitteln ∗∗∗
---------------------------------------------
Mittlerweile können Sie auch Lebensmittel online bestellen. Bedenken Sie aber: Auch hier gibt es betrügerische Angebote. Kriminelle bieten stark vergünstigte Lebensmittel in Fake-Shops wie leckerwurzede.com an. Wenn Sie dort bestellen, verlieren Sie Ihr Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-mit-guenstig…
∗∗∗ CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys ∗∗∗
---------------------------------------------
We analyze an attack path starting with GitHub IAM exposure and leading to creation of AWS Elastic Compute instances — which TAs used to perform cryptojacking.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-key…
∗∗∗ NetSupport Intrusion Results in Domain Compromise ∗∗∗
---------------------------------------------
NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report on a NetSupport RAT intrusion, but malicious use of this tool dates back to at least 2016. During this report, we will analyze a case from January 2023 where a NetSupport RAT was utilized to infiltrate a network. The RAT was then used for persistence and command & control, resulting in a full domain compromise.
---------------------------------------------
https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain…
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗
---------------------------------------------
Version 2.4: Updated summary to indicate additional fixed releases and updated fixed release table.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (distro-info, distro-info-data, gst-plugins-bad1.0, node-browserify-sign, nss, openjdk-11, and thunderbird), Fedora (chromium, curl, nghttp2, and xorg-x11-server-Xwayland), Gentoo (Dovecot, Rack, rxvt-unicode, and UnZip), Mageia (apache, bind, and vim), Red Hat (varnish:6), SUSE (nodejs12, opera, python-bugzilla, python-Django, and vorbis-tools), and Ubuntu (exim4, firefox, nodejs, and slurm-llnl, slurm-wlm).
---------------------------------------------
https://lwn.net/Articles/949238/
∗∗∗ Mattermost security updates 9.1.1 / 9.0.2 / 8.1.4 (ESR) / 7.8.13 (ESR) released ∗∗∗
---------------------------------------------
We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.1.1, 9.0.2, 8.1.4 (Extended Support Release), and 7.8.13 (Extended Support Release), for both Team Edition and Enterprise Edition.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-9-1-1-9-0-2-8-1-4-e…
∗∗∗ Inkdrop vulnerable to code injection ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN48057522/
∗∗∗ 2023-10-30: Cyber Security Advisory - ABB COM600 CODESYS Vulnerabilities ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001822&Language…
∗∗∗ Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7061278
∗∗∗ IBM i is vulnerable to a local privilege escalation due to flaws in Management Central (CVE-2023-40685, CVE-2023-40686). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7060686
∗∗∗ Due to use of Java 8.0.7.11 version, InfoSphere Data Replication is vulnerable to crypto attacks. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7061888
∗∗∗ IBM Storage Ceph is vulnerable to a stack overflow attack in Golang (CVE-2022-24675) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7061939
∗∗∗ Multiple vulnerabilities exist in the IBM SDK, Java Technology Edition affect IBM Tivoli Network Manager. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7062331
∗∗∗ A vulnerability exists in the IBM SDK, Java Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-22045, CVE-2023-22049). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7062330
∗∗∗ IBM Automation Decision Services October 2023 - Multiple CVEs addressed ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7062348
∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to code injection and privilege escalation due to multiple vulnerabilities in Go ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7062415
∗∗∗ Due to the use of OpenSSL IBM Tivoli Netcool System Service Monitors/Application Service Monitors is vulnerable to a denial of service and security bypass restrictions. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7062426
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 25-10-2023 18:00 − Freitag 27-10-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ StripedFly malware framework infects 1 million Windows, Linux hosts ∗∗∗
---------------------------------------------
A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/stripedfly-malware-framework…
∗∗∗ How to catch a wild triangle ∗∗∗
---------------------------------------------
How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.
---------------------------------------------
https://securelist.com/operation-triangulation-catching-wild-triangle/11091…
∗∗∗ Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction ∗∗∗
---------------------------------------------
Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for organizations across multiple industries. Octo Tempest leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. With their extensive range of tactics, techniques, and procedures (TTPs), the threat actor, from our perspective, is one of the most dangerous financial criminal groups.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-cross…
∗∗∗ iLeakage: Safari unzureichend vor Spectre-Seitenkanalangriff geschützt ∗∗∗
---------------------------------------------
Sicherheitsforscher sagen, dass Apples Browser nicht ausreichend vor CPU-Seitenkanalangriffen schützt. Angreifer können Daten lesen. Es gibt Schutzmaßnahmen.
---------------------------------------------
https://www.heise.de/-9344659
∗∗∗ CISA, HHS Release Cybersecurity Healthcare Toolkit ∗∗∗
---------------------------------------------
CISA and the HHS have released resources for healthcare and public health organizations to improve their security.
---------------------------------------------
https://www.securityweek.com/cisa-hhs-release-cybersecurity-healthcare-tool…
∗∗∗ CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater ∗∗∗
---------------------------------------------
The Lenovo System Update application is designed to allow non-administrators to check for and apply updates to their workstation. During the process of checking for updates, the privileged Lenovo Update application attempts to utilize C:\SSClientCommon\HelloLevel_9_58_00.xml, which doesn’t exist on the filesystem [...] This vulnerability has been fixed in the latest version of the Lenovo System Updater application.
---------------------------------------------
https://posts.specterops.io/cve-2023-4632-local-privilege-escalation-in-len…
∗∗∗ ESET APT Activity Report Q2–Q3 2023 ∗∗∗
---------------------------------------------
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 and Q3 2023
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2…
∗∗∗ Most common Active Directory misconfigurations and default settings that put your organization at risk ∗∗∗
---------------------------------------------
Introduction In this blog post, we will go over the most recurring (and critical) findings that we discovered when auditing the Active Directory environment of different companies, explain why these configurations can be dangerous, how they can be abused by attackers and how they can be mitigated or remediated.
---------------------------------------------
https://blog.nviso.eu/2023/10/26/most-common-active-directory-misconfigurat…
∗∗∗ CVE-2023-4966 Helps Usher In A Baker’s Dozen Of Citrix Tags To Further Help Organizations Mitigate Harm ∗∗∗
---------------------------------------------
Citrixs NetScaler ADC and NetScaler Gateway have, once more, been found to have multiple vulnerabilities, tracked as CVE-2023-4966 and CVE-2023-4967 [...] As of this post’s publish time, GreyNoise has observed just under seventy IP addresses attempting to exploit this vulnerability.
---------------------------------------------
https://www.greynoise.io/blog/cve-2023-4966-helps-usher-in-a-bakers-dozen-o…
∗∗∗ CISA Announces Launch of Logging Made Easy ∗∗∗
---------------------------------------------
Today, CISA announces the launch of a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/10/27/cisa-announces-launch-lo…
∗∗∗ Rhysida Ransomware Technical Analysis ∗∗∗
---------------------------------------------
Technical analysis of Rhysida Ransomware family that emerged in the Q2 of 2023
---------------------------------------------
https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analys…
=====================
= Vulnerabilities =
=====================
∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-23-299-01 Dingtian DT-R002 ICSA-23-299-02 Centralite Pearl Thermostat ICSA-23-299-03 Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium ICSA-23-299-04 Rockwell Automation Arena ICSA-23-299-05 Rockwell Automation FactoryTalk View Site Edition ICSA-23-299-06 Rockwell Automation FactoryTalk Services Platform ICSA-23-299-07 Sielco PolyEco FM Transmitter ICSA-23-299-08 Sielco Radio Link and Analog FM Transmitters ICSMA-23-194-01 BD Alaris System with Guardrails Suite MX (Update A)
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/10/26/cisa-releases-nine-indus…
∗∗∗ Cisco Update: HTTP/2 Rapid Reset Attack Affecting Cisco Products: October 2023 ∗∗∗
---------------------------------------------
Version 1.5: Updated the lists of vulnerable products and products confirmed not vulnerable.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Update: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗
---------------------------------------------
Version 2.3: Updated summary to indicate additional fixed releases. Updated fixed release table and SMU table. Updated recommendations to add link to technical FAQ.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Juniper Update: 2023-10 Security Bulletin: Junos OS: jkdsd crash due to multiple telemetry requests (CVE-2023-44188) ∗∗∗
---------------------------------------------
2023-10-25: Added note that SRX Series devices are not vulnerable to this issue
---------------------------------------------
https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos…
∗∗∗ HPE Aruba Networking Product Security Advisory ∗∗∗
---------------------------------------------
HPE Aruba Networking has released updates to ClearPass Policy Manager that address multiple security vulnerabilities.
---------------------------------------------
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt
∗∗∗ Sicherheitsupdates: Jenkins-Plug-ins als Einfallstor für Angreifer ∗∗∗
---------------------------------------------
Jenkins kann bei der Softwareentwicklung helfen. Einige Plug-ins weisen Sicherheitslücken auf. Ein paar Updates stehen noch aus.
---------------------------------------------
https://www.heise.de/-9344802
∗∗∗ Sicherheitslücken im X.Org X-Server und Xwayland erlauben Rechteausweitung ∗∗∗
---------------------------------------------
Aktualisierte Fassung des X.Org X-Servers und von Xwayland schließen Sicherheitslücken. Die erlauben die Rechteausweitung oder einen Denial-of-Service.
---------------------------------------------
https://www.heise.de/-9345096
∗∗∗ Rechteausweitung durch Lücke in HP Print and Scan Doctor ∗∗∗
---------------------------------------------
Aktualisierte Software korrigiert einen Fehler im Support-Tool HP Print and Scan Doctor, der die Ausweitung der Rechte im System ermöglicht.
---------------------------------------------
https://www.heise.de/-9345192
∗∗∗ Konfigurationsprogramm von BIG-IP-Appliances als Sprungbrett für Angreifer ∗∗∗
---------------------------------------------
F5 hat wichtige Sicherheitsupdates für BIG-IP-Produkte veröffentlicht. Angreifer können Geräte kompromittieren.
---------------------------------------------
https://www.heise.de/-9346460
∗∗∗ Lücken in Nessus Network Monitor ermöglichen Rechteerhöhung ∗∗∗
---------------------------------------------
Eine neue Version vom Nessus Network Monitor schließt Sicherheitslücken, durch die Angreifer etwa ihre Rechte erhöhen können.
---------------------------------------------
https://www.heise.de/news/-9346392
∗∗∗ VMWare Tools: Schwachstellen erlauben Rechteausweitung ∗∗∗
---------------------------------------------
Die VMware Tools unter Linux, Windows und macOS erlauben Angreifern unter bestimmten Umständen, unbefugt Kommandos abzusetzen. Noch sind nicht alle Updates da.
---------------------------------------------
https://www.heise.de/-9346863
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023) ∗∗∗
---------------------------------------------
Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week.
---------------------------------------------
https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpr…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr and xorg-server), Fedora (firefox, mbedtls, nodejs18, nodejs20, and xen), Gentoo (libinput, unifi, and USBView), Mageia (python-nltk), Oracle (linux-firmware), Red Hat (nginx:1.22), SUSE (chromium, firefox, java-11-openjdk, jetty-minimal, nghttp2, nodejs18, webkit2gtk3, and zlib), and Ubuntu (linux, linux-lowlatency, linux-oracle-5.15, vim, and xorg-server, xwayland).
---------------------------------------------
https://lwn.net/Articles/948930/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and firefox-esr), Fedora (firefox, redis, samba, and xen), Oracle (python39:3.9, python39-devel:3.9), Slackware (mozilla and xorg), and SUSE (libnbd, open-vm-tools, python, sox, vorbis-tools, and zchunk).
---------------------------------------------
https://lwn.net/Articles/949057/
∗∗∗ Critical Mirth Connect Vulnerability Could Expose Sensitive Healthcare Data ∗∗∗
---------------------------------------------
Mirth Connect versions prior to 4.4.1 are vulnerable to CVE-2023-43208, a bypass for an RCE vulnerability.
---------------------------------------------
https://www.securityweek.com/critical-mirth-connect-vulnerability-could-exp…
∗∗∗ Apple Releases Security Advisories for Multiple Products ∗∗∗
---------------------------------------------
Apple has released security updates to address vulnerabilities in multiple products.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/10/26/apple-releases-security-…
∗∗∗ Schwachstelle CVE-2023-5363 in OpenSSL ∗∗∗
---------------------------------------------
In der Software OpenSSL wurde eine Schwachstelle CVE-2023-5363 gefunden. Die Initialisierung der Verschlüsselungsschlüssellänge und des Initialisierungsvektors in OpenSLL ist fehlerhaft. Für die Linux-Distributionen Debian und Ubuntu ist ein Fix aber bereits verfügbar.
---------------------------------------------
https://www.borncity.com/blog/2023/10/27/schwachstelle-cve-2023-5363-in-ope…
∗∗∗ ServiceNow fixt stillschweigend Bug aus 2015 der Datenlecks ermöglichte ∗∗∗
---------------------------------------------
Das US-Unternehmen ServiceNow Inc. bietet eine Cloud-Plattform an, in deren Software wohl seit 2015 ein Bug klaffte, über den Dritte ohne Authentifizierung Informationen abziehen konnten. Nachdem ein Sicherheitsforscher auf die Schwachstelle gestoßen ist, wurde diese stillschweigend in der Cloud-Lösung beseitigt.
---------------------------------------------
https://www.borncity.com/blog/2023/10/27/servicenow-fixt-stillschweigend-bu…
∗∗∗ 9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution ∗∗∗
---------------------------------------------
Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-roundup-oct-25-2023/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ VMSA-2023-0024 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0024.html
∗∗∗ SonicWall SSO Agent - Directory Services Connector MSI Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0016
∗∗∗ SonicWall NetExtender Windows Client DLL Search Order Hijacking Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0017
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 24-10-2023 18:00 − Mittwoch 25-10-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Citrix Bleed exploit lets hackers hijack NetScaler accounts ∗∗∗
---------------------------------------------
A proof-of-concept (PoC) exploit is released for the Citrix Bleed vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/citrix-bleed-exploit-lets-ha…
∗∗∗ Phishing-Masche: Klarstellung wegen Viren-Versands gefordert ∗∗∗
---------------------------------------------
Die Verbraucherzentralen warnen vor Betrugsmails, die Empfänger zu einer Klarstellung auffordern. Es seien Beschwerden wegen Malware-Versands eingegangen.
---------------------------------------------
https://www.heise.de/news/Phishing-Masche-Klarstellung-wegen-Viren-Versands…
∗∗∗ Exploitcode für Root-Lücke in VMware Aria Operations for Logs in Umlauf ∗∗∗
---------------------------------------------
In Umlauf befindlicher Exploitcode gefährdet VMwares Management-Plattform für Cloudumgebungen. Admins sollten jetzt Sicherheitsupdates installieren.
---------------------------------------------
https://www.heise.de/news/Exploitcode-fuer-Root-Luecke-in-VMware-Aria-Opera…
∗∗∗ Webmailer Roundcube: Attacken auf Zero-Day-Lücke ∗∗∗
---------------------------------------------
Im Webmailer Roundcube missbrauchen Cyberkriminelle eine Sicherheitslücke, um verwundbare Einrichtungen anzugreifen. Ein Update schließt das Leck.
---------------------------------------------
https://www.heise.de/news/Webmailer-Roundcube-Attacken-auf-Zero-Day-Luecke-…
∗∗∗ Teils kritische Lücken in VMware vCenter Server und Cloud Foundation geschlossen ∗∗∗
---------------------------------------------
VMware hat aktualisierte Softwarepakete veröffentlicht, die mehrere Lücken in vCenter Server und Cloud Foundation abdichten. Eine gilt als kritisch.
---------------------------------------------
https://www.heise.de/news/Update-stopft-kritische-Luecke-in-VMware-vCenter-…
∗∗∗ Nusuccess: Seriöse Marketingagentur oder unseriöses Schneeballsystem? ∗∗∗
---------------------------------------------
Die Nusuccess FZCO mit Sitz in Dubai – vormals mit Sitz in Kärnten – bezeichnet sich selbst als „weltweit renommierte Werbeagentur“. Welche Leistungen diese Firma tatsächlich erbringt, bleibt aber im besten Fall vage. Erfahrungsberichte deuten darauf hin, dass sie ihren Gewinn hauptsächlich durch den Verkauf von teuren „Franchise-Paketen“ erzielt. Was genau Inhalt dieser Franchise-Pakete sein soll, bleibt unklar.
---------------------------------------------
https://www.watchlist-internet.at/news/nusuccess-serioese-marketingagentur-…
∗∗∗ Social engineering: Hacking minds over bytes ∗∗∗
---------------------------------------------
In this blog, lets focus on the intersection of psychology and technology, where cybercriminals manipulate human psychology through digital means to achieve their objectives.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/social-engineering-…
∗∗∗ How to Secure the WordPress Login Page ∗∗∗
---------------------------------------------
Given that WordPress powers millions of websites worldwide, it’s no surprise that it’s a prime target for malicious activities ranging from brute force attacks and hacking attempts to unauthorized access — all of which can wreak havoc on your site’s functionality, damage reputation, or even result in lost revenue and sales. A common entry point often exploited by hackers is the WordPress login page, [...]
---------------------------------------------
https://blog.sucuri.net/2023/10/how-to-secure-the-wordpress-login-page.html
∗∗∗ The Rise of S3 Ransomware: How to Identify and Combat It ∗∗∗
---------------------------------------------
In todays digital landscape, around 60% of corporate data now resides in the cloud, with Amazon S3 standing as the backbone of data storage for many major corporations. Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. It remains susceptible to ransomware attacks which are often initiated using leaked access keys that have accidentally been exposed by human error and have access to the organization's buckets.
---------------------------------------------
https://thehackernews.com/2023/10/the-rise-of-s3-ransomware-how-to.html
∗∗∗ RT 5.0.5 and 4.4.7 Now Available ∗∗∗
---------------------------------------------
RT versions 5.0.5 and 4.4.7 are now available. In addition to some new features and bug fixes, these releases contain important security updates and are recommended for all RT users.
---------------------------------------------
https://bestpractical.com/blog/2023/10/rt-505-and-447-now-available
=====================
= Vulnerabilities =
=====================
∗∗∗ Lücke in Cisco IOS XE: Auch Rockwell-Industrieswitches betroffen ∗∗∗
---------------------------------------------
Neben Cisco-eigenen Geräten sind auch Rockwell-Switches der Stratix-Serie für den Industrieeinsatz betroffen. Eine Fehlerbehebung steht noch aus.
---------------------------------------------
https://www.heise.de/news/Luecke-in-Cisco-IOS-XE-Auch-Rockwell-Industrieswi…
∗∗∗ VMSA-2023-0023 ∗∗∗
---------------------------------------------
Synopsis: VMware vCenter Server updates address out-of-bounds write and information disclosure vulnerabilities (CVE-2023-34048, CVE-2023-34056)
1. Impacted Products
* VMware vCenter Server
* VMware Cloud Foundation
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0023.html
∗∗∗ Several Critical Vulnerabilities Patched in AI ChatBot Plugin for WordPress ∗∗∗
---------------------------------------------
On September 28, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for multiple vulnerabilities in AI ChatBot, a WordPress plugin with over 4,000 active installations. After making our initial contact attempt on September 28th, 2023, we received a response on September 29, 2023 and sent over our full disclosure details.
---------------------------------------------
https://www.wordfence.com/blog/2023/10/several-critical-vulnerabilities-pat…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gst-plugins-bad1.0, openssl, roundcube, and xorg-server), Fedora (dotnet6.0, dotnet7.0, roundcubemail, and wordpress), Mageia (redis), Oracle (dnsmasq, python27:2.7, python3, tomcat, and varnish), Red Hat (python39:3.9, python39-devel:3.9), Slackware (mozilla and vim), SUSE (openssl-3, poppler, ruby2.5, and xen), and Ubuntu (.Net, linux-gcp-5.15, linux-gkeop-5.15, linux-intel-iotg-5.15, linux-starfive-6.2, mysql-5.7, ncurses, and openssl).
---------------------------------------------
https://lwn.net/Articles/948814/
∗∗∗ Movable Type vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN39139884/
∗∗∗ TEM Opera Plus FM Family Transmitter 35.45 XSRF ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5800.php
∗∗∗ TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5799.php
∗∗∗ VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) Remote Denial Of Service ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5798.php
∗∗∗ AIX is vulnerable to sensitive information exposure due to Perl (CVE-2023-31484 and CVE-2023-31486) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7047272
∗∗∗ IBM QRadar SIEM includes components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7049133
∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to weaker than expected security (CVE-2023-46158) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7058540
∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to weaker than expected security (CVE-2023-46158) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7058536
∗∗∗ A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Business Developer. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7059262
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily