[CERT-daily] Tageszusammenfassung - 12.10.2023

Daily end-of-shift report team at cert.at
Thu Oct 12 18:31:23 CEST 2023


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 11-10-2023 18:00 − Donnerstag 12-10-2023 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Well, this SOCKS - curl SOCKS 5 Heap Buffer Overflow (CVE-2023-38545) ∗∗∗
---------------------------------------------
Nachdem letzte Woche ein Advisory zu "der schlimmsten Schwachstelle in curl seit Langem" angekündigt wurde, konnten verängstigte, verschlafene und chronisch unterkoffeinierte Admins und Security-Spezialisten nach der gestrigen Veröffentlichung den Schaden begutachten. Die gute Nachricht: Die Apokalypse ist an uns vorüber gegangen. Die schlechte Nachricht: Mit dem CVSS(v2) Score lässt sich die Schwere einer Schwachstelle nicht immer ausreichend abbilden.
---------------------------------------------
https://cert.at/de/blog/2023/10/well-this-socks-curl-socks-5-heap-buffer-overflow-cve-2023-38545


∗∗∗ ToddyCat: Keep calm and check logs ∗∗∗
---------------------------------------------
In this article, we’ll describe ToddyCat new toolset, the malware used to steal and exfiltrate data, and the techniques used by this group to move laterally and conduct espionage operations.
---------------------------------------------
https://securelist.com/toddycat-keep-calm-and-check-logs/110696/


∗∗∗ Malicious NuGet Package Targeting .NET Developers with SeroXen RAT ∗∗∗
---------------------------------------------
A malicious package hosted on the NuGet package manager for the .NET Framework has been found to deliver a remote access trojan called SeroXen RAT. The package, named Pathoschild.Stardew.Mod.Build.Config and published by a user named Disti, is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig, software supply chain security firm Phylum said in a report today. While the real package has received nearly 79,000 downloads to date, the malicious variant is said to have artificially inflated its download count after being published on October 6, 2023, to surpass 100,000 downloads.
---------------------------------------------
https://thehackernews.com/2023/10/malicious-nuget-package-targeting-net.html


∗∗∗ New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects ∗∗∗
---------------------------------------------
In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.
---------------------------------------------
https://www.virusbulletin.com/blog/2023/10/new-paper-nexus-android-banking-botnet-compromising-cc-panels-and-dissecting-mobile-appinjects/


∗∗∗ Backdoor Malware Found on WordPress Website Disguised as Legitimate Plugin ∗∗∗
---------------------------------------------
A backdoor deployed on a compromised WordPress website poses as a legitimate plugin to hide its presence.
---------------------------------------------
https://www.securityweek.com/backdoor-malware-found-on-wordpress-website-disguised-as-legitimate-plugin/


∗∗∗ Using Velociraptor for large-scale endpoint visibility and rapid threat hunting ∗∗∗
---------------------------------------------
In this post we give on overview of some of the capabilities of Velociraptor, and also how we have leveraged them to conduct some real-time threat hunting shedding light on how it can equip security teams to proactively safeguard digital environments.
---------------------------------------------
https://www.pentestpartners.com/security-blog/using-velociraptor-for-large-scale-endpoint-visibility-and-rapid-threat-hunting/


∗∗∗ Angebliche Branchenbücher und Firmenverzeichnisse locken in teure Abo-Falle! ∗∗∗
---------------------------------------------
Aktuell werden uns zahlreiche unseriöse Branchen-, Adressen- und Firmenverzeichnisse gemeldet, die versuchen Unternehmen das Geld aus der Tasche zu ziehen. Per E-Mail, Telefon oder Fax werden Unternehmen dazu überredet, sich in ein nutzloses und oft gar nicht existierendes Branchenbuch einzutragen. Wer auf das Angebot eingeht, schließt ein überteuertes Abo ab, das nur schwer zu kündigen ist. Betroffen von dieser Abzocke sind vor allem kleine und mittlere Unternehmen.
---------------------------------------------
https://www.watchlist-internet.at/news/angebliche-branchenbuecher-und-firmenverzeichnisse-locken-in-teure-abo-falle/


∗∗∗ XOR Known-Plaintext Attacks ∗∗∗
---------------------------------------------
In this blog post, we show in detail how a known-plaintext attack on XOR encoding works, and automate it with custom tools to decrypt and extract the configuration of a Cobalt Strike beacon. If you are not interested in the theory, just in the tools, go straight to the conclusion.
---------------------------------------------
https://blog.nviso.eu/2023/10/12/xor-known-plaintext-attacks/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ An analysis of PoS/ cashIT! cash registers ∗∗∗
---------------------------------------------
This report summarizes our findings about vulnerabilities in cashIT!, a cash register system implementing the Austrian cash registers security regulation (RKSV). Besides lack of encryption, outdated software components and low-entropy passwords, these weaknesses include a bypass of origin checks (CVE-2023-3654), unauthenticated remote database exfiltration (CVE-2023-3655), and unauthenticated remote code with administrative privileges on the cash register host machines (CVE-2023-3656). Based on our analysis result, these vulnerabilities affect over 200 cash register installations in Austrian restaurants that are accessible over the Internet.
---------------------------------------------
https://epub.jku.at/obvulioa/content/titleinfo/9142358


∗∗∗ Sicherheitsupdates: Backdoor-Lücke bedroht Netzwerkgeräte von Juniper ∗∗∗
---------------------------------------------
Schwachstellen im Netzwerkbetriebssystem Junos OS bedrohen Routing-, Switching- und Sicherheitsgeräte von Juniper.
---------------------------------------------
https://www.heise.de/-9332169


∗∗∗ 10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows ∗∗∗
---------------------------------------------
Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device [..] All these vulnerabilities also have a severity score of 9.8. Talos is disclosing these vulnerabilities despite no official patch from Yifan, all in adherence to Cisco’s third-party vendor vulnerability disclosure policy. 
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-roundup-webkit-and-yifan-router/


∗∗∗ 40 Schwachstellen in IBM-Sicherheitslösung QRadar SIEM geschlossen ∗∗∗
---------------------------------------------
Mehrere Komponenten in IBM QRadar SIEM weisen Sicherheitslücken auf und gefährden das Security-Information-and-Event-Management-System.
---------------------------------------------
https://www.heise.de/-9332542


∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 2, 2023 to October 8, 2023) ∗∗∗
---------------------------------------------
Last week, there were 92 vulnerabilities disclosed in 88 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week.
---------------------------------------------
https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-october-2-2023-to-october-8-2023/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libcue, org-mode, python3.7, and samba), Fedora (libcue, oneVPL, oneVPL-intel-gpu, and xen), Mageia (glibc), Oracle (glibc, kernel, libssh2, libvpx, nodejs, and python-reportlab), Slackware (libcaca), SUSE (gsl, ImageMagick, kernel, opensc, python-urllib3, qemu, rage-encryption, samba, and xen), and Ubuntu (curl and samba).
---------------------------------------------
https://lwn.net/Articles/947570/


∗∗∗ Weintek cMT3000 HMI Web CGI ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12


∗∗∗ Advantech WebAccess ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-15


∗∗∗ Santesoft Sante FFT Imaging ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-02


∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-01


∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-13


∗∗∗ Hikvision Access Control and Intercom Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-14


∗∗∗ PILZ : WIBU Vulnerabilities in multiple Products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-033/


∗∗∗ Schneider Electric IGSS ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-16


∗∗∗ Hikvision Access Control and Intercom Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-14


∗∗∗ CVE-2023-3281 Cortex XSOAR: Cleartext Exposure of Client Certificate Key in Kafka v3 Integration (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-3281


∗∗∗ IBM Aspera Faspex has addressed an IP address restriction bypass vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7048851


∗∗∗ Vulnerability of okio-1.13.0.jar is affecting APM WebSphere Application Server Agent, APM Tomcat Agent, APM SAP NetWeaver Java Stack Agent, APM WebLogic Agent and APM Data Collector for J2SE ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7051173


∗∗∗ IBM App Connect Enterprise is vulnerable to a potential information disclosure ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7051204

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list