[CERT-daily] Tageszusammenfassung - 19.12.2023
Daily end-of-shift report
team at cert.at
Tue Dec 19 18:20:39 CET 2023
=====================
= End-of-Day report =
=====================
Timeframe: Montag 18-12-2023 18:00 − Dienstag 19-12-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Akute Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich ∗∗∗
---------------------------------------------
Seit Kurzem sehen sich österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur vermehrt mit DDoS Angriffen konfrontiert. Die genauen Hintergründe der Attacken sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse empfehlen wir Unternehmen und Organisationen, die eigenen Prozesse und technischen Maßnahmen nochmals auf ihre Wirksamkeit zu überprüfen, um im Fall eines Angriffes bestmöglich gewappnet zu sein. Dies gilt insbesondere, da eine Intensivierung der Angriffe nicht ausgeschlossen werden kann.
---------------------------------------------
https://cert.at/de/aktuelles/2023/12/akute-welle-an-ddos-angriffen-auf-staatsnahe-und-kritische-infrastruktur-in-osterreich
∗∗∗ Neue Angriffstechnik: Terrapin schwächt verschlüsselte SSH-Verbindungen ∗∗∗
---------------------------------------------
Ein Angriff kann wohl zur Verwendung weniger sicherer Authentifizierungsalgorithmen führen. Betroffen sind viele gängige SSH-Implementierungen.
---------------------------------------------
https://www.golem.de/news/neue-angriffstechnik-terrapin-schwaecht-verschluesselte-ssh-verbindungen-2312-180474.html
∗∗∗ FBI disrupts Blackcat ransomware operation, creates decryption tool ∗∗∗
---------------------------------------------
The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operations servers to monitor their activities and obtain decryption keys.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-disrupts-blackcat-ransomware-operation-creates-decryption-tool/
∗∗∗ 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware ∗∗∗
---------------------------------------------
The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers.
---------------------------------------------
https://thehackernews.com/2023/12/8220-gang-exploiting-oracle-weblogic.html
∗∗∗ Hackers Abusing GitHub to Evade Detection and Control Compromised Hosts ∗∗∗
---------------------------------------------
Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages.
---------------------------------------------
https://thehackernews.com/2023/12/hackers-abusing-github-to-evade.html
∗∗∗ Mute the Sound: Chaining Vulnerabilities to Achieve RCE on Outlook: Pt 1 ∗∗∗
---------------------------------------------
In this post, we have detailed the research process that led to the discovery of the two bypasses, including their root-cause analysis. As we’ve shown, Windows path parsing code is complex and often can lead to vulnerabilities. [..] Windows machines with the October 2023 software update installed are protected from these vulnerabilities. Additionally, Outlook clients that use Exchange servers patched with March 2023 software update are protected against the abused feature.
---------------------------------------------
https://www.akamai.com/blog/security-research/2023/dec/chaining-vulnerabilities-to-achieve-rce-part-one
∗∗∗ Botnet: Qakbot wieder aktiv mit neuer Phishing-Kampagne ∗∗∗
---------------------------------------------
Im August haben internationale Strafverfolger das Quakbot-Botnetz außer Gefecht gesetzt. Jetzt hat Microsoft eine neue Phishing-Kampagne entdeckt.
---------------------------------------------
https://www.heise.de/-9577963
∗∗∗ Retro Gaming Vulnerability Research: Warcraft 2 ∗∗∗
---------------------------------------------
This blog post is part one in a short series on learning some basic game hacking techniques. [..] I leave it as an exercise to the reader to extend wc2shell further to add the first checksum byte and attempt to fuzz other traffic.
---------------------------------------------
https://research.nccgroup.com/2023/12/19/retro-gaming-vulnerability-research-warcraft-2/
∗∗∗ Achtung Fake: „Ihr iCloud-Speicher ist voll. Erhalten Sie 50 GB KOSTENLOS !“ ∗∗∗
---------------------------------------------
Ihr iCloud-Speicher ist voll? Sie erhalten aber angeblich 50 GB kostenlos? Vorsicht, bei diesem E-Mail handelt es sich um Phishing. Tippen Sie nicht auf das Feld „Erhalten Sie 50 GB“. Sie würden auf einer gefälschten iCloud-Webseite landen, die Ihre Login-Daten stiehlt.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-fake-ihr-icloud-speicher-ist-voll-erhalten-sie-50-gb-kostenlos/
∗∗∗ Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks ∗∗∗
---------------------------------------------
This post will cover the recent additional attacks that installed Ladon, NetCat, AnyDesk, and z0Miner.
---------------------------------------------
https://asec.ahnlab.com/en/59904/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (webkit2gtk), Fedora (rdiff-backup and xorg-x11-server-Xwayland), Mageia (cjose and ghostscript), Oracle (avahi), Red Hat (postgresql:10), and SUSE (avahi, freerdp, libsass, and ncurses).
---------------------------------------------
https://lwn.net/Articles/955678/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ mozilla: Security Vulnerabilities fixed in Firefox 121 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/
∗∗∗ mozilla: Security Vulnerabilities fixed in Thunderbird 115.6 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/
∗∗∗ mozilla: Security Vulnerabilities fixed in Firefox ESR 115.6 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/
∗∗∗ EFACEC UC 500E ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-03
∗∗∗ Subnet Solutions Inc. PowerSYSTEM Center ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-01
∗∗∗ Open Design Alliance Drawing SDK ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-04
∗∗∗ EFACEC BCU 500 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02
∗∗∗ EuroTel ETL3100 Radio Transmitter ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-05
∗∗∗ F5: K000137926 : Apache Tomcat vulnerability CVE-2023-46589 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000137926
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list