[CERT-daily] Tageszusammenfassung - 09.11.2023

Thu Nov 9 19:10:24 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 08-11-2023 18:00 − Donnerstag 09-11-2023 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Highly invasive backdoor snuck into open source packages targets developers ∗∗∗
---------------------------------------------
Packages downloaded thousands of times targeted people working on sensitive projects.
---------------------------------------------
https://arstechnica.com/?p=1982281


∗∗∗ Google ads push malicious CPU-Z app from fake Windows news site ∗∗∗
---------------------------------------------
A threat actor has been abusing Google Ads to distribute a trojanized version of the CPU-Z tool to deliver the Redline info-stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-ads-push-malicious-cpu-z-app-from-fake-windows-news-site/


∗∗∗ Visual Examples of Code Injection, (Thu, Nov 9th) ∗∗∗
---------------------------------------------
I spotted an interesting sample that perform this technique and I was able to collect “visible” information. The malware was delivered through a phishing email with a ZIP archive.
---------------------------------------------
https://isc.sans.edu/diary/rss/30388


∗∗∗ Google Play: Extra-Sicherheitsprüfungen sollen Apps vertrauenswürdiger machen ∗∗∗
---------------------------------------------
Ab sofort sind bestimmte Apps in Google Play mit einem neuen Banner gekennzeichnet, der mehr Sicherheit garantieren soll. Den Anfang machen einige VPN-Apps.
---------------------------------------------
https://www.heise.de/-9357280


∗∗∗ Spammers abuse Google Forms’ quiz to deliver scams ∗∗∗
---------------------------------------------
Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms.
---------------------------------------------
https://blog.talosintelligence.com/google-forms-quiz-spam/


∗∗∗ GhostLocker - A “Work In Progress” RaaS ∗∗∗
---------------------------------------------
GhostSec, has introduced a novel Ransom-as-a-Service encryptor known as GhostLocker.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/11/08/ghostlocker-a-work-in-progress-raas/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cacti and chromium), Fedora (CuraEngine, podman, and rubygem-rmagick), Mageia (gnome-shell, openssl, and zlib), SUSE (salt), and Ubuntu (xrdp).
---------------------------------------------
https://lwn.net/Articles/950850/


∗∗∗ CVE-2023-3282 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine (Severity: MEDIUM) ∗∗∗
---------------------------------------------
This issue is applicable only to Cortex XSOAR engines installed through the shell method that are running on a Linux operating system.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-3282


∗∗∗ CVE-2023-47246: SysAid Zero-Day Vulnerability Exploited By Lace Tempest ∗∗∗
---------------------------------------------
A new zero-day vulnerability (CVE-2023-47246) in SysAid IT service management software is being exploited by the threat group responsible for the MOVEit Transfer attack in May 2023.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/11/09/etr-cve-2023-47246-sysaid-zero-day-vulnerability-exploited-by-lace-tempest/


∗∗∗ Drupal: GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-051


∗∗∗ Drupal: GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-050


∗∗∗ Weidmüller: WIBU Vulnerability in multiple Products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-032/


∗∗∗ Johnson Controls Quantum HD Unity ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-01


∗∗∗ Hitachi Energy eSOMS ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-313-02


∗∗∗ IBM Security Guardium is affected by denial of service vulnerabilities (CVE-2023-3635, CVE-2023-28118) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7069238


∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in Apache Struts (CVE-2023-34149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7069237


∗∗∗ Vulnerabilities in Linux Kernel, Samba, Golang, Curl, and openssl can affect IBM Spectrum Protect Plus ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7069319


∗∗∗ A vulnerability in Samba affects IBM Storage Scale SMB protocol access method (CVE-2022-2127) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7070025

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily