[CERT-daily] Tageszusammenfassung - 14.11.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 13-11-2023 18:00 − Dienstag 14-11-2023 18:00
Handler:     Stephan Richter
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ CISA warns of actively exploited Juniper pre-auth RCE exploit chain ∗∗∗
---------------------------------------------
CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-juniper-pre-auth-rce-exploit-chain/


∗∗∗ ChatGPT, Bard und andere: KI-Systeme ermöglichen Ausleiten von Daten ∗∗∗
---------------------------------------------
Durch gezielte Abfragen lassen sich private und geschützte Daten aus KI-Systemen ausleiten. Die Angriffe zeigen ein prinzipielles Problem.
---------------------------------------------
https://www.golem.de/news/chatgpt-bard-und-andere-ki-systeme-ermoeglichen-ausleiten-von-daten-2311-179405.html


∗∗∗ Noticing command and control channels by reviewing DNS protocols, (Mon, Nov 13th) ∗∗∗
---------------------------------------------
Malicious software pieces installed in computers call home. Some of them can be noticed because they perform DNS lookup and some of them initiates connection without DNS lookup. For this last option, this is abnormal and can be noticed by any Network Detection and Response (NDR) tool that reviews the network traffic by at least two weeks. Most companies do not have money to afford a NDR, so I'm going to show you today an interesting tip that have worked for me to notice APT calling home when they perform DNS lookup.
---------------------------------------------
https://isc.sans.edu/diary/rss/30396


∗∗∗ Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain ∗∗∗
---------------------------------------------
The algorithms are used by TETRA – short for the Terrestrial Trunked Radio protocol – and they are operated by governments, law enforcement, military and emergency services organizations in Europe, the UK, and other countries.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/11/14/tetra_encryption_algorithms_open_sourced/


∗∗∗ Novel backdoor persists even after critical Confluence vulnerability is patched ∗∗∗
---------------------------------------------
Got a Confluence server? Listen up. Malware said to have wide-ranging capabilities. A new backdoor was this week found implanted in the environments of organizations to exploit the recently disclosed critical vulnerability in Atlassian Confluence.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/11/14/novel_backdoor_persists_confluence/


∗∗∗ Nothing new, still broken, insecure by default since then: Pythons e-mail libraries and certificate verification ∗∗∗
---------------------------------------------
Today, basically every e-mail provider supports TLS for their services and programmatically accessing e-mail services with Python code using TLS-wrapped clients is common. Python offers three libraries shipped with a standard installation for handling e-mail transfer. These modules are smtplib, imaplib, and poplib. While Python programming is usually straightforward, using these Python libraries require passing a magic parameter in the right way to use secure communication.
---------------------------------------------
https://www.pentagrid.ch/en/blog/python-mail-libraries-certificate-verification/


∗∗∗ LockBit ransomware group assemble strike team to breach banks, law firms and governments. ∗∗∗
---------------------------------------------
[...] I thought it would be good to break down what is happening and how they’re doing it, since LockBit are breaching some of the world’s largest organisations - many of whom have incredibly large security budgets. Through data allowing the tracking of ransomware operators, it has been possible to track individual targets. Recently, it has become clear they have been targeting a vulnerability in Citrix Netscaler, called CitrixBleed.
---------------------------------------------
https://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee


∗∗∗ CVE Half-Day Watcher ∗∗∗
---------------------------------------------
CVE Half-Day Watcher is a security tool designed to highlight the risk of early exposure of Common Vulnerabilities and Exposures (CVEs) in the public domain. It leverages the National Vulnerability Database (NVD) API to identify recently published CVEs with GitHub references before an official patch is released. By doing so, CVE Half-Day Watcher aims to underscore the window of opportunity for attackers to "harvest" this information and develop exploits.
---------------------------------------------
https://github.com/Aqua-Nautilus/CVE-Half-Day-Watcher


∗∗∗ Vorsicht vor Jobangeboten per SMS oder WhatsApp ∗∗∗
---------------------------------------------
Unerwartet erhalten Sie eine Nachricht von einer Personalvermittlungsagentur: Ihnen wird ein Job angeboten. Die Bezahlung ist gut und die Arbeitszeiten sind flexibel. Es geht darum, Hotels und Touristenattraktionen zu bewerten. Bei Interesse sollten Sie dem Arbeitgeber eine WhatsApp-Nachricht schicken. Ignorieren Sie dieses Jobangebot, es handelt sich um Betrug!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-sms-oder-whatsapp/


∗∗∗ Ddostf DDoS Bot Malware Attacking MySQL Servers ∗∗∗
---------------------------------------------
The ASEC analysis team has recently discovered that the Ddostf DDoS bot is being installed on vulnerable MySQL servers. Ddostf is a DDoS bot capable of conducting Distributed Denial of Service (DDoS) attacks on specific targets and was first identified around 2016.
---------------------------------------------
https://asec.ahnlab.com/en/58878/


∗∗∗ A Closer Look at ChatGPTs Role in Automated Malware Creation ∗∗∗
---------------------------------------------
This blog entry explores the effectiveness of ChatGPTs safety measures, the potential for AI technologies to be misused by criminal actors, and the limitations of current AI models.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/k/a-closer-look-at-chatgpt-s-role-in-automated-malware-creation.html


∗∗∗ Malicious Abrax666 AI Chatbot Exposed as Potential Scam ∗∗∗
---------------------------------------------
As of now, based on the information regarding the sale of the Abrax666 AI Chatbot, cybersecurity researchers are of the opinion that the chatbot is most likely a scam.
---------------------------------------------
https://www.hackread.com/abrax666-ai-chatbot-exposed-as-potential-scam/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Siemens Security Advisories ∗∗∗
---------------------------------------------
Siemens has released 14 new and 18 updated Security Advisories.
---------------------------------------------
https://www.siemens.com/global/en/products/services/cert.html?d=2023-11#SiemensSecurityAdvisories


∗∗∗ Xen Security Advisory CVE-2023-46835 / XSA-445 - x86/AMD: mismatch in IOMMU quarantine page table levels ∗∗∗
---------------------------------------------
A device in quarantine mode can access data from previous quarantine page table usages, possibly leaking data used by previous domains that also had the device assigned.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-445.html


∗∗∗ Xen Security Advisory CVE-2023-46836 / XSA-446 - x86: BTC/SRSO fixes not fully effective ∗∗∗
---------------------------------------------
An attacker in a PV guest might be able to infer the contents of memory belonging to other guests.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-446.html


∗∗∗ SAP Security Patch Day –November2023 ∗∗∗
---------------------------------------------
On 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. Further, there were 3 updates to previously released Security Notes.
---------------------------------------------
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (postgresql-11, postgresql-13, and postgresql-15), Fedora (chromium, optipng, and radare2), Scientific Linux (plexus-archiver and python), Slackware (tigervnc), SUSE (apache2, containerized-data-importer, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql, postgresql15, postgresql16, postgresql12, postgresql13, python-Django1, squashfs, and xterm), and Ubuntu (firefox and memcached).
---------------------------------------------
https://lwn.net/Articles/951311/


∗∗∗ ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric ∗∗∗
---------------------------------------------
Siemens and Schneider Electric’s Patch Tuesday advisories for November 2023 address 90 vulnerabilities affecting their products.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-90-vulnerabilities-addressed-by-siemens-and-schneider-electric/


∗∗∗ Mattermost security updates 9.1.3 / 9.0.4 / 8.1.6 (ESR) / 7.8.15 (ESR) released ∗∗∗
---------------------------------------------
The security update is available for Mattermost dot releases 9.1.3, 9.0.4, 8.1.6 (Extended Support Release), and 7.8.15 (Extended Support Release), for both Team Edition and Enterprise Edition.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-9-1-3-9-0-4-8-1-6-esr-7-8-15-esr-released/


∗∗∗ TYPO3-CORE-SA-2023-007: By-passing Cross-Site Scripting Protection in HTML Sanitizer ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-core-sa-2023-007


∗∗∗ TYPO3-CORE-SA-2023-006: Weak Authentication in Session Handling ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-core-sa-2023-006


∗∗∗ TYPO3-CORE-SA-2023-005: Information Disclosure in Install Tool ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-core-sa-2023-005


∗∗∗ IBM Integration Bus is vulnerable to multiple CVEs due to Apache Tomcat. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7072626


∗∗∗ IBM QRadar Network Packet Capture includes components with multiple known vulnerabilities (CVE-2023-2828, CVE-2023-24329, CVE-2022-4839) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7073360


∗∗∗ IBM Security Guardium is affected by multiple OS level vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7073592


∗∗∗ AVEVA Operations Control Logger ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-01


∗∗∗ Rockwell Automation SIS Workstation and ISaGRAF Workbench ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-02

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily