[CERT-daily] Tageszusammenfassung - 16.10.2023

Mon Oct 16 18:12:19 CEST 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 13-10-2023 18:00 − Montag 16-10-2023 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ DarkGate malware spreads through compromised Skype accounts ∗∗∗
---------------------------------------------
Between July and September, DarkGate malware attacks have used compromised Skype accounts to infect targets through messages containing VBA loader script attachments. 
---------------------------------------------
https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-through-compromised-skype-accounts/


∗∗∗ Scanning evasion issue in Cisco Secure Email Gateway ∗∗∗
---------------------------------------------
Cisco Secure Email Gateway provided by Cisco Systems may fail to detect specially crafted files.
---------------------------------------------
https://jvn.jp/en/jp/JVN58574030/


∗∗∗ Security review for Microsoft Edge version 118 ∗∗∗
---------------------------------------------
We are pleased to announce the security review for Microsoft Edge, version 118!   We have reviewed the new settings in Microsoft Edge version 118 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 117 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit.
---------------------------------------------
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-review-for-microsoft-edge-version-118/ba-p/3955123


∗∗∗ SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls ∗∗∗
---------------------------------------------
The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure.
---------------------------------------------
https://thehackernews.com/2023/10/spynote-beware-of-this-android-trojan.html


∗∗∗ Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign ∗∗∗
---------------------------------------------
Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems."The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 [..]
---------------------------------------------
https://thehackernews.com/2023/10/pro-russian-hackers-exploiting-recent.html


∗∗∗ Signal says there is no evidence rumored zero-day bug is real ∗∗∗
---------------------------------------------
As this is an ongoing investigation, and the mitigation is to simply disable the Link Previews feature, users may want to turn this setting off for the time being until its fully confirmed not to be real.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/signal-says-there-is-no-evidence-rumored-zero-day-bug-is-real/


∗∗∗ “EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts ∗∗∗
---------------------------------------------
Over the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake “browser updates”. While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they’ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down.
---------------------------------------------
https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16


∗∗∗ Blocking Dedicated Attacking Hosts Is Not Enough: In-Depth Analysis of a Worldwide Linux XorDDoS Campaign ∗∗∗
---------------------------------------------
We provide a comprehensive analysis of the XorDDoS Trojans attacking behaviors. Subsequently, we unveil the intricate network infrastructure orchestrating the campaigns botnet. Lastly, we introduce the advanced signatures derived from the key attacking hotspots, including hostnames, URLs and IP addresses. These signatures effectively identified over 1,000 XorDDoS C2 traffic sessions in August 2023 alone.
---------------------------------------------
https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-delivers-malware/


∗∗∗ WS_FTP: Ransomware-Attacken auf ungepatchte Server ∗∗∗
---------------------------------------------
In WS_FTP hat Hersteller Progress kürzlich teils kritische Sicherheitslücken geschlossen. Inzwischen sieht Sophos Ransomware-Angriffe darauf.
---------------------------------------------
https://www.heise.de/news/WS-FTP-Ransomware-Attacken-auf-ungepatchte-Server-9335146.html


∗∗∗ Milesight Industrial Router Vulnerability Possibly Exploited in Attacks ∗∗∗
---------------------------------------------
A vulnerability affecting Milesight industrial routers, tracked as CVE-2023-4326, may have been exploited in attacks.
---------------------------------------------
https://www.securityweek.com/milesight-industrial-router-vulnerability-possibly-exploited-in-attacks/


∗∗∗ Sie verkaufen auf Willhaben? Diese Betrugsmasche sollten Sie kennen! ∗∗∗
---------------------------------------------
Auf Willhaben und anderen Verkaufsplattformen begegnen Ihnen sicherlich auch mal Betrüger:innen. Besonders vorsichtig sollten Sie sein, wenn Sie zum ersten Mal verkaufen und Sie den Ablauf eines Verkaufs noch nicht so gut kennen. Wir zeigen Ihnen eine gängige Betrugsmasche und wie Sie sich davor schützen!
---------------------------------------------
https://www.watchlist-internet.at/news/sie-verkaufen-auf-willhaben-diese-betrugsmasche-sollten-sie-kennen/


∗∗∗ curl-Schwachstelle durch Microsoft ungepatcht ∗∗∗
---------------------------------------------
In der Bibliothek und im Tool curl gibt es in älteren Versionen eine Schwachstelle, die vom Projekt am 11. Oktober 2023 mit der Version 8.4.0 geschlossen wurde. Microsoft liefert curl mit Windows aus, und es stellte sich die Frage, ob curl zum Patchday, 10. Oktober 2023, ebenfalls aktualisiert wurde. Mein Stand ist, dass in Windows auch nach den Oktober 2023-Updates die veraltete curl-Version enthalten ist.
---------------------------------------------
https://www.borncity.com/blog/2023/10/14/curl-schwachstelle-durch-microsoft-ungepatcht/


∗∗∗ Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability ∗∗∗
---------------------------------------------
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.
---------------------------------------------
https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/


∗∗∗ Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Exim bugs ∗∗∗
---------------------------------------------
Fixed in 4.96.2/4.97:
- CVE-2023-42117: Improper Neutralization of Special Elements
- CVE-2023-42119: dnsdb Out-Of-Bounds Read
libspf2 Integer Underflow:
- CVE-2023-42118: Mitigation: Do not use the `spf` condition in your ACL
---------------------------------------------
https://exim.org/static/doc/security/CVE-2023-zdi.txt


∗∗∗ Wordpress: Übernahme durch Lücke in Royal Elementor Addons and Template ∗∗∗
---------------------------------------------
Im Wordpress-Plug-in Royal Elementor Addons and Template missbrauchen Cyberkriminelle eine kritische Lücke. Sie nutzen sie zur Übernahme von Instanzen.
---------------------------------------------
https://www.heise.de/news/Wordpress-Uebernahme-durch-Luecke-in-Royal-Elementor-Addons-and-Template-9335615.html


∗∗∗ Samba: Neue Versionen beheben mehrere Sicherheitslücken ∗∗∗
---------------------------------------------
Durch verschiedene Programmierfehler konnten Angreifer auf geheime Informationen bis hin zum Kerberos-TGT-Passwort zugreifen. Aktualisierungen stehen bereit.
---------------------------------------------
https://www.heise.de/news/Samba-Neue-Versionen-beheben-mehrere-Sicherheitsluecken-9335169.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (batik, poppler, and tomcat9), Fedora (chromium, composer, curl, emacs, ghostscript, libwebp, libXpm, netatalk, nghttp2, python-asgiref, python-django, and webkitgtk), Mageia (curl and libX11), Oracle (bind, busybox, firefox, and kernel), Red Hat (curl, dotnet6.0, dotnet7.0, and nginx), SUSE (chromium, cni, cni-plugins, grub2, netatalk, opensc, opera, and wireshark), and Ubuntu (iperf3).
---------------------------------------------
https://lwn.net/Articles/947891/


∗∗∗ Vulnerabilities in Video Station ∗∗∗
---------------------------------------------
Three vulnerabilities have been reported to affect Video Station:
- CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities
- CVE-2023-34977: Cross-site scripting (XSS) vulnerability
If exploited, these vulnerabilities could allow authenticated users to inject malicious code via a network.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-52


∗∗∗ Vulnerabilities in QTS, QuTS hero, and QuTScloud ∗∗∗
---------------------------------------------
Two vulnerabilities have been reported to affect several QNAP operating system versions:
- CVE-2023-32970: If exploited, the null pointer dereference vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network.
- CVE-2023-32973: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-41


∗∗∗ Vulnerability in QTS, QuTS hero, and QuTScloud ∗∗∗
---------------------------------------------
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read and expose sensitive data via a network.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-42


∗∗∗ Vulnerability in Container Station ∗∗∗
---------------------------------------------
An OS command injection vulnerability has been reported to affect Container Station. If exploited, the vulnerability could allow authenticated administrators to execute arbitrary commands via a network.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-44


∗∗∗ web2py vulnerable to OS command injection ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN80476432/


∗∗∗ cURL and libcurl Vulnerability Affecting Cisco Products: October 2023 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-curl-libcurl-D9ds39cV


∗∗∗ Cisco IOS XE Software Web UI Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z


∗∗∗ FortiSandbox - XSS on delete endpoint ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-311


∗∗∗ FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-215


∗∗∗ FortiSandbox - Arbitrary file delete ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-23-280


∗∗∗ Red Lion Europe: Vulnerability allows access to non-critical information in mbCONNECT24 and mymbCONNECT24 ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-041/


∗∗∗ Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-043/


∗∗∗ 2023-10 Security Bulletin: Junos OS and Junos OS Evolved: High CPU load due to specific NETCONF command (CVE-2023-44184) ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-High-CPU-load-due-to-specific-NETCONF-command-CVE-2023-44184


∗∗∗ IBM Security Verify Access Appliance has multiple security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7009735


∗∗∗ Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953617


∗∗∗ Security Vulnerabilities fixed in IBM Security Verify Access (CVE-2022-40303) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7009741


∗∗∗ IBM Security Verify Access OpenID Connect Provider container has fixed multiple vulnerabilities (CVE-2022-43868, CVE-2022-43739, CVE-2022-43740) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028513


∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7012613


∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014261


∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7014259


∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7052776


∗∗∗ Multiple Vulnerabilities of Apache HttpClient have affected IBM Jazz Reporting Service ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7052811


∗∗∗ Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Jazz Reporting Services. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7052810


∗∗∗ IBM Jazz Reporting Service is vulnerable to a denial of service (CVE-2023-35116) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7052809


∗∗∗ Vulnerability with snappy-java affect IBM Cloud Object Storage Systems (Oc2023v1) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7052829


∗∗∗ Require strict cookies for image proxy requests ∗∗∗
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8j9x-fmww-qr37


∗∗∗ OAuth2 client_secret stored in plain text in the database ∗∗∗
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9


∗∗∗ Inviting excessive long email addresses to a calendar event makes the server unresponsive ∗∗∗
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r936-8gwm-w452


∗∗∗ Password of talk conversations can be bruteforced ∗∗∗
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7rf8-pqmj-rpqv


∗∗∗ Rate limiter not working reliable when Memcached is installed ∗∗∗
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xmhp-7vr4-hp63


∗∗∗ Security updates 1.5.5 and 1.4.15 released ∗∗∗
---------------------------------------------
https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15


∗∗∗ Security update 1.6.4 released ∗∗∗
---------------------------------------------
https://roundcube.net/news/2023/10/16/security-update-1.6.4-released

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily