[CERT-daily] Tageszusammenfassung - 23.10.2023
Daily end-of-shift report
team at cert.at
Mon Oct 23 18:56:11 CEST 2023
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 20-10-2023 18:00 − Montag 23-10-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Sessioncookies: Hacker erbeuten Zugangscodes bei Identitätsdienst Okta ∗∗∗
---------------------------------------------
Der Identitätsdienst Okta ist ein weiteres Mal das Einfallstor für Hacker gewesen. Dieses Mal betraf es Daten des Kundensupports.
---------------------------------------------
https://www.golem.de/news/sessioncookies-hacker-erbeuten-zugangscodes-bei-identitaetsdienst-okta-2310-178694.html
∗∗∗ Erst nach 3 Jahren gefixt: Zeiterfassungssystem ermöglichte OAuth-Token-Diebstahl ∗∗∗
---------------------------------------------
Harvest ermöglichte es Angreifern, OAuth-Token von Nutzern zu stehlen, die die Zeiterfassungssoftware mit Outlook verbinden wollten.
---------------------------------------------
https://www.golem.de/news/erst-nach-3-jahren-gefixt-zeiterfassungssystem-ermoeglichte-oauth-token-diebstahl-2310-178722.html
∗∗∗ Die MOVEit-Sicherheitslücke – eine Zwischenbilanz ∗∗∗
---------------------------------------------
Selbst wer die Software nicht verwendet, kann ein Opfer sein. Schätzungen gehen bisher von rund 68 Millionen Personen aus, deren Daten abgeflossen sind.
---------------------------------------------
https://www.heise.de/-9318038.html
∗∗∗ Internationalen Ermittlungsbehörden gelingt Schlag gegen Ragnar Locker ∗∗∗
---------------------------------------------
Internationalen Ermittlern ist es gelungen, die Infrastruktur der bekannten Ransomware-Gruppierung Ragnar Locker zu zerschlagen.
---------------------------------------------
https://www.heise.de/-9340480.html
∗∗∗ Cisco IOS XE und die verschwundenen Hintertüren ∗∗∗
---------------------------------------------
Die Anzahl der offensichtlich kompromittierten Geräte ist auch in Deutschland schlagartig gefallen, was wohl kaum an den gerade erschienenen Patches liegt.
---------------------------------------------
https://www.heise.de/-9341205.html
∗∗∗ New TetrisPhantom hackers steal data from secure USB drives on govt systems ∗∗∗
---------------------------------------------
A new sophisticated threat tracked as TetrisPhantom has been using compromised secure USB drives to target government systems in the Asia-Pacific region.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-tetrisphantom-hackers-steal-data-from-secure-usb-drives-on-govt-systems/
∗∗∗ The outstanding stealth of Operation Triangulation ∗∗∗
---------------------------------------------
In this report Kaspersky shares insights into the validation components used in Operation Triangulation, TriangleDB implant post-compromise activity, as well as details of some additional modules.
---------------------------------------------
https://securelist.com/triangulation-validators-modules/110847/
∗∗∗ base64dump.py Handles More Encodings Than Just BASE64, (Sun, Oct 22nd) ∗∗∗
---------------------------------------------
My tool base64dump.py takes any input and searches for encoded data. By default, it searches for base64 encoding, but I implemented several encodings (like vaious hexadecimal formats)
---------------------------------------------
https://isc.sans.edu/diary/rss/30332
∗∗∗ How an AppleTV may take down your (#IPv6) network, (Mon, Oct 23rd) ∗∗∗
---------------------------------------------
I recently ran into an odd issue with IPv6 connectivity in my home network. During a lengthy outage, I decided to redo some of my network configurations. As part of this change, I also reorganized my IPv6 setup, relying more on DHCPv6 and less on router advertisements to configure IPv6 addresses. Overall, this worked well. My Macs had no issues connecting to IPv6. However, the Linux host I use to alert me of network connectivity issues could not "ping" the test host via IPv6.
---------------------------------------------
https://isc.sans.edu/diary/rss/30336
∗∗∗ Tampered OpenCart Authentication Aids Credit Card Skimming Attack ∗∗∗
---------------------------------------------
Using out of date software is the leading cause of website compromise, so keeping your environment patched and up to date is one of the most important responsibilities of a website administrator. It’s not uncommon to employ the use of custom code on websites, and spend small fortunes on software developers to tailor their website just the way they want it. However, the usage of customised code can sometimes inadvertently lock a website administrator into using an out of date CMS installation long after its expiry date, particularly if they no longer have access to their old developer (or sufficient funds to hire a new one).
---------------------------------------------
https://blog.sucuri.net/2023/10/tampered-opencart-authentication-aids-credit-card-skimming-attack.html
∗∗∗ Abusing gdb Features for Data Ingress & Egress ∗∗∗
---------------------------------------------
As of November 2019, elfutils supports debuginfod, a client/server protocol that enables debuggers (gdb) to fetch debugging symbols via HTTP/HTTPs from a user-specified remote server. This blog post will demonstrate how this feature of gdb can be abused to create data communication paths for data exfiltration and tool ingress.
---------------------------------------------
https://www.archcloudlabs.com/projects/debuginfod/
∗∗∗ Vorsicht vor Jobangeboten auf WhatsApp oder Telegram ∗∗∗
---------------------------------------------
Sie suchen gerade einen Job? Praktisch, wenn Sie gar nicht suchen müssen und Sie direkt auf WhatsApp oder Telegram einen Job angeboten bekommen. Dahinter stecken aber Kriminelle, die Ihnen z. B. einen „Datenoptimierungsjob mit möglichen Provisionen“ anbieten. Auf Plattformen wie privko.live oder depopnr.com verlieren Sie dann Ihr Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-auf-whatsapp-oder-telegram/
∗∗∗ Important security update ∗∗∗
---------------------------------------------
Autodesk recently determined that an unauthorized third-party obtained access to portions of internal systems. Our findings show that sensitive data about our customers and their projects or products have not been compromised. We immediately took steps to contain the incident. Forensic analysis conducted by an independent, third party indicates that no customer operations or Autodesk products were disrupted due to this incident.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0020
∗∗∗ Kritische Sicherheitslücke in Cisco IOS XE - aktiv ausgenützt ∗∗∗
---------------------------------------------
Update: 23. Oktober 2023 Cisco hat für einige der von der Schwachstelle betroffenen Geräte Aktualisierungen veröffentlicht, und weitere Updates angekündigt. Das Unternehmen aktualisiert die Liste an verfügbaren Patches auf einer dedizierten Seite laufend. Wenn das Management-WebInterface eines Cisco XE Gerätes vor dem Einspielen des Updates offen im Netz erreichbar war, ist davon auszugehen, dass ein Angreifer dies ausgenutzt hat und zumindest neue Admin-Accounts angelegt hat. Damit ist die Installation von weiteren Hintertüren möglich, die - aus heutiger Sicht - nur mit einem Factory Reset / Neuinstallation von IOS XE umfassend entfernt werden können
---------------------------------------------
https://cert.at/de/warnungen/2023/10/kritische-sicherheitslucke-in-cisco-ios-xe-aktiv-ausgenutzt
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗
---------------------------------------------
Version 1.4: Updated the summary to indicate the first fixes are available. Added specific fixed release information.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (krb5, redis, roundcube, ruby-rack, ruby-rmagick, zabbix, and zookeeper), Fedora (ansible-core, chromium, libvpx, mingw-xerces-c, python-asgiref, python-django, and vim), Mageia (cadence, kernel, kernel-linus, libxml2, nodejs, and shadow-utils), Oracle (nghttp2), Slackware (LibRaw), and SUSE (chromium, java-11-openjdk, nodejs18, python-Django, python-urllib3, and suse-module-tools).
---------------------------------------------
https://lwn.net/Articles/948522/
∗∗∗ Vulnerability in QUSBCam2 ∗∗∗
---------------------------------------------
An OS command injection vulnerability has been reported to affect QUSBCam2. If exploited, the vulnerability could allow users to execute arbitrary commands via a network.
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-43
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list