[CERT-daily] Tageszusammenfassung - 11.12.2023

Daily end-of-shift report team at cert.at
Mon Dec 11 18:32:45 CET 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 07-12-2023 18:00 − Montag 11-12-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ AutoSpill attack steals credentials from Android password managers ∗∗∗
---------------------------------------------
Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/autospill-attack-steals-credentials-from-android-password-managers/


∗∗∗ Over 30% of Log4J apps use a vulnerable version of the library ∗∗∗
---------------------------------------------
Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-30-percent-of-log4j-apps-use-a-vulnerable-version-of-the-library/


∗∗∗ Sicherheitsupdate: WordPress unter bestimmten Bedingungen angreifbar ∗∗∗
---------------------------------------------
In der aktuellen WordPress-Version haben die Entwickler eine Sicherheitslücke geschlossen.
---------------------------------------------
https://www.heise.de/-9567923


∗∗∗ DoS-Schwachstellen: Angreifer können 714 Smartphone-Modelle vom 5G-Netz trennen ∗∗∗
---------------------------------------------
Forscher haben mehrere Schwachstellen in gängigen 5G-Modems offengelegt. Damit können Angreifer vielen Smartphone-Nutzern 5G-Verbindungen verwehren.
---------------------------------------------
https://www.golem.de/news/dos-schwachstellen-angreifer-koennen-714-smartphone-modelle-vom-5g-netz-trennen-2312-180183.html


∗∗∗ 40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager ∗∗∗
---------------------------------------------
In today’s post, we’ll take a look at some recent Google Tag Manager containers used in ecommerce malware, examine some newer forms of obfuscation techniques used in the malicious code, and track the evolution of the ATMZOW skimmer linked to widespread Magento website infections since 2015.
---------------------------------------------
https://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html


∗∗∗ Bluetooth-Lücke erlaubt Einschleusen von Tastenanschlägen ∗∗∗
---------------------------------------------
Eine Sicherheitslücke in Bluetooth-Stacks erlaubt Angreifern, Tastenanschläge einzuschmuggeln. Unter Android, iOS, Linux und macOS.
---------------------------------------------
https://www.heise.de/-9570583


∗∗∗ Achtung Fake-Shop: fressnapfs.shop ∗∗∗
---------------------------------------------
Kriminelle schalten auf Facebook und Instagram Werbung für einen betrügerischen Fressnapf-Online-Shop. Der gefälschte Online-Shop sieht dem echten Shop zum Verwechseln ähnlich. Auch die Internetadresse „fressnapfs.shop“ scheint plausibel. Wenn Sie beim Fake-Shop bestellen, verlieren Sie Ihr Geld und erhalten keine Lieferung!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-fake-shop-fressnapfsshop/


∗∗∗ To tap or not to tap: Are NFC payments safer? ∗∗∗
---------------------------------------------
Contactless payments are quickly becoming ubiquitous – but are they more secure than traditional payment methods?
---------------------------------------------
https://www.welivesecurity.com/en/cybersecurity/to-tap-or-not-to-tap-are-nfc-payments-safer/


∗∗∗ Kaspersky entdeckt „hochkomplexen“ Proxy-Trojaner für macOS ∗∗∗
---------------------------------------------
Die Malware wird über raubkopierte Software verbreitet. Varianten für Android und Windows sind offenbar auch im Umlauf.
---------------------------------------------
https://www.zdnet.de/88413363/kaspersky-entdeckt-hochkomplexen-proxy-trojaner-fuer-macos/


∗∗∗ Risiko Active Directory-Fehlkonfigurationen; Forest Druid zur Analyse ∗∗∗
---------------------------------------------
Fehlkonfigurationen und Standardeinstellungen des Active Directory können die IT-Sicherheit von Unternehmen gefährden. Bastien Bossiroy von den NVISO Labs hat sich Gedanken um dieses Thema gemacht und bereits Ende Oktober 2023 einen Beitrag zu den häufigsten Fehlkonfigurationen/Standardkonfigurationen des Active Directory, die Unternehmen gefährden, veröffentlicht. Zudem ist mir kürzlich ein Hinweis auf "Forest Druid" untergekommen, ein kostenloses Attack-Path-Management-Tool von Semperis.
---------------------------------------------
https://www.borncity.com/blog/2023/12/09/risiko-active-directory-die-hufigsten-fehlkonfigurationen-standardkonfigurationen-forest-druid-zur-analyse/


∗∗∗ Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang ∗∗∗
---------------------------------------------
Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel. We’re naming this malware family “NineRAT.” NineRAT was initially built around May 2022 and was first used in this campaign as early as March 2023, almost a year later, against a South American agricultural organization. We then saw NineRAT being used again around September 2023 against a European manufacturing entity.
---------------------------------------------
https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/


∗∗∗ 2023 Review: Reflecting on Cybersecurity Trends ∗∗∗
---------------------------------------------
With the season of ubiquitous year-ahead predictions around the corner, Trend Micro’s Greg Young and William Malik decided to look back at 2023 and see which forecasted cybersecurity trends came to pass and which, um, didn’t.
---------------------------------------------
https://www.trendmicro.com/en_us/ciso/23/l/2023-review-reflecting-on-cybersecurity-trends.html


∗∗∗ Analyzing AsyncRATs Code Injection into aspnet_compiler.exe Across Multiple Incident Response Cases ∗∗∗
---------------------------------------------
This blog entry delves into MxDRs unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web applications.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Resolved RCE in Sophos Firewall (CVE-2022-3236) ∗∗∗
---------------------------------------------
The vulnerability was originally fixed in September 2022. In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall. No action is required if organizations have upgraded their firewalls to a supported firmware version after September 2022.
---------------------------------------------
https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce


∗∗∗ Sicherheitslücken: Angreifer können Schadcode auf Qnap NAS schieben ∗∗∗
---------------------------------------------
Netzwerkspeicher von Qnap sind verwundbar. In aktuellen Versionen haben die Entwickler Sicherheitsprobleme gelöst.
---------------------------------------------
https://www.heise.de/-9570375


∗∗∗ New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164) ∗∗∗
---------------------------------------------
The Apache Struts project has released updates for the popular open-source web application framework, with fixes for a critical vulnerability that could lead to remote code execution (CVE-2023-50164).
---------------------------------------------
https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium), Mageia (firefox, thunderbird, and vim), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container), and Ubuntu (freerdp2, glibc, and tinyxml).
---------------------------------------------
https://lwn.net/Articles/954092/


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium), Fedora (bluez, chromium, and curl), Red Hat (apr), Slackware (libxml2), and Ubuntu (squid3 and tar).
---------------------------------------------
https://lwn.net/Articles/954449/


∗∗∗ Edge 120.0.2210.61 mit Sicherheitsfixes und neuer Telemetriefunktion ∗∗∗
---------------------------------------------
Microsoft hat zum 7. Dezember 2023 den Edge 120.0.2210.61 im Stable-Channel veröffentlicht. Diese Version schließt gleich drei Schwachstellen (und zudem Chromium-Sicherheitslücken). Der neue Edge kommt zudem mit neuen Richtlinien.
---------------------------------------------
https://www.borncity.com/blog/2023/12/08/edge-120-0-2210-61-mit-sicherheitsfixes-und-neuer-telemetriefunktion/


∗∗∗ GarageBand 10.4.9 ∗∗∗
---------------------------------------------
https://support.apple.com/kb/HT214042


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Frauscher: FDS102 for FAdC/FAdCi remote code execution vulnerability ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-049/


∗∗∗ Local Privilege Escalation durch MSI installer in PDF24 Creator (geek Software GmbH) ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escalation-durch-msi-installer-in-pdf24-creator-geek-software-gmbh/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list