[CERT-daily] Tageszusammenfassung - 20.12.2023
Daily end-of-shift report
team at cert.at
Wed Dec 20 18:37:00 CET 2023
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 19-12-2023 18:00 − Mittwoch 20-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Datenleckseite beschlagnahmt: Das FBI und die ALPHV-Hacker spielen Katz und Maus ∗∗∗
---------------------------------------------
Das FBI hat die Datenleckseite der Ransomwaregruppe ALPHV beschlagnahmt. Die Hacker haben jedoch auch noch Zugriff darauf. Sie drohen nun mit neuen Regeln.
---------------------------------------------
https://www.golem.de/news/datenleckseite-beschlagnahmt-das-fbi-und-die-alphv-hacker-spielen-katz-und-maus-2312-180504.html
∗∗∗ Remote Encryption Attacks Surge: How One Vulnerable Device Can Spell Disaster ∗∗∗
---------------------------------------------
Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns."Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," [...]
---------------------------------------------
https://thehackernews.com/2023/12/remote-encryption-attacks-surge-how-one.html
∗∗∗ Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla ∗∗∗
---------------------------------------------
First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
∗∗∗ New MetaStealer malvertising campaigns ∗∗∗
---------------------------------------------
In recent malvertising campaigns, threat actors dropped the MetaStealer information stealer, more or less coinciding with a new version release.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns
∗∗∗ BSI und ANSSI veröffentlichen Publikation zu Remote Identity Proofing ∗∗∗
---------------------------------------------
Das BSI hat zusammen mit der französischen Behörde für IT-Sicherheit, ANSSI, eine gemeinsame Publikation veröffentlicht. Die diesjährige Veröffentlichung beschäftigt sich mit den Gefahren und möglichen Angriffsvektoren, die in den verschiedenen Phasen der videobasierten Identifikation entstehen.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/ANSSI_BSI_Remote_Identity_Proofing_231220.html
∗∗∗ Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript Can Steal Your Secrets ∗∗∗
---------------------------------------------
Malicious JavaScript is used to steal PPI via survey sites, web chat APIs and more. We detail how JavaScript malware is implemented and evades detection.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-data/
∗∗∗ Behind the scenes: JaskaGO’s coordinated strike on macOS and Windows ∗∗∗
---------------------------------------------
In recent developments, a sophisticated malware stealer strain crafted in the Go programming language has been discovered by AT&T Alien Labs, posing a severe threat to both Windows and macOS operating systems. As of the time of publishing of this article, traditional antivirus solutions have low or even non-existent detection rates, making it a stealthy and formidable adversary.
---------------------------------------------
https://cybersecurity.att.com/blogs/labs-research/behind-the-scenes-jaskagos-coordinated-strike-on-macos-and-windows
∗∗∗ Spike in Atlassian Exploitation Attempts: Patching is Crucial ∗∗∗
---------------------------------------------
In the blog we discuss the importance of securing your Atlassian products, provide valuable insights on various IP activities, and offer friendly advice on proactive measures to protect your organization.
---------------------------------------------
https://www.greynoise.io/blog/spike-in-atlassian-exploitation-attempts-patching-is-crucial
∗∗∗ Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors ∗∗∗
---------------------------------------------
Earlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign presented to users in sponsored search engine results and social media posts, consistent with activity reported in From DarkGate to DanaBot. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and leveraged malicious advertisements to affect multiple organizations, which resulted in the delivery of the DANABOT and DARKGATE backdoors.
---------------------------------------------
https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-23-1810: QEMU NVMe Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to disclose sensitive information on affected installations of QEMU. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.0.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-1810/
∗∗∗ ZDI-23-1813: Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-1813/
∗∗∗ Sitefinity Security Advisory for Addressing Security Vulnerability CVE-2023-6784, December 2023 ∗∗∗
---------------------------------------------
The Progress Sitefinity team recently discovered a MEDIUM CVSS vulnerability in the Sitefinity application available under # CVE-2023-6784. A fix has been developed and tested – and is now available for download. Below you can find information about the discoveries and version-specific product updates for supported versions.
---------------------------------------------
https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (ansible and ansible-core), Gentoo (Minecraft Server and thunderbird), Mageia (fusiondirectory), Red Hat (gstreamer1-plugins-bad-free, opensc, and openssl), Slackware (libssh and mozilla), SUSE (avahi, firefox, ghostscript, gstreamer-plugins-bad, mariadb, openssh, openssl-1_1-livepatches, python-aiohttp, python-cryptography, xorg-x11-server, and xwayland), and Ubuntu (libssh and openssh).
---------------------------------------------
https://lwn.net/Articles/955786/
∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Apple has released security updates to address vulnerabilities in Safari, iOS, iPadOS, and macOS Sonoma. A cyber threat actor could exploit one of these vulnerabilities to obtain sensitive information. CISA encourages users and administrators to review Apple security releases and apply necessary updates.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/12/20/apple-releases-security-updates-multiple-products
∗∗∗ New Ivanti Avalanche Vulnerabilities ∗∗∗
---------------------------------------------
As part of our ongoing strengthening of the security of our products we have discovered twenty new vulnerabilities in the Ivanti Avalanche on-premise product. We are reporting these vulnerabilities as the CVE numbers listed below. These vulnerabilities impact all supported versions of the products – Avalanche versions 6.3.1 and above. Older versions/releases are also at risk. This release corrects multiple memory corruption vulnerabilities, covered in these security advisories: [...]
---------------------------------------------
https://www.ivanti.com/blog/new-ivanti-avalanche-vulnerabilities
∗∗∗ Multiple vulnerabilites in D-Link G416 routers ∗∗∗
---------------------------------------------
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10367
∗∗∗ K000137965 : Apache Tomcat vulnerability CVE-2023-45648 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000137965
∗∗∗ K000137966 : Apache Tomcat vulnerability CVE-2023-42794 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000137966
∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities. [CVE-2022-42889, CVE-2023-35001, CVE-2023-32233] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7095693
∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7087688
∗∗∗ IBM Maximo Application Suite - IoT Component uses Pygments-2.14.0-py3-none-any.whl which is vulnerable to CVE-2022-40896 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7099774
∗∗∗ IBM Maximo Application Suite uses urllib3-1.26.16-py2.py3-none-any.whl which is vulnerable to CVE-2023-43804 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7099772
∗∗∗ IBM Sterling B2B Integrator EBICs client affected by multiple issues due to Jettison ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7099862
∗∗∗ IBM Security Guardium is affected by a guava-18.0.jar vulnerability (CVE-2023-2976) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7099896
∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7100525
∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-39975, CVE-2023-34042) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7100884
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list