[CERT-daily] Tageszusammenfassung - 31.10.2023
Daily end-of-shift report
team at cert.at
Tue Oct 31 18:39:50 CET 2023
=====================
= End-of-Day report =
=====================
Timeframe: Montag 30-10-2023 18:00 − Dienstag 31-10-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ CVE-2023-4966 in Citrix NetScaler ADC und NetScaler Gateway wurde bereits als 0-day ausgenutzt ∗∗∗
---------------------------------------------
Uns wurde inzwischen von drei Organisationen in Österreich berichtet, dass Angreifer aufgrund der Sicherheitslücke im Citrix Server in ihren Systemen aktiv geworden sind, bevor Patches von Citrix verfügbar waren. Es wurden Befehle zur Erkundung des Systems und erste Schritte in Richtung lateral Movement beobachtet. Wir gehen inzwischen von einer weitläufigen Ausnutzung dieses 0-days aus.
---------------------------------------------
https://cert.at/de/aktuelles/2023/10/cve-2023-4966-0day
∗∗∗ Exploit für Cisco IOS XE veröffentlicht, Infektionszahlen weiter hoch ∗∗∗
---------------------------------------------
Sicherheitsforscher haben den Exploit für Cisco IOS XE untersucht und seinen simplen Trick aufgedeckt. Hunderte Geräte mit Hintertür sind noch online.
---------------------------------------------
https://www.heise.de/-9349296
∗∗∗ Multiple Layers of Anti-Sandboxing Techniques, (Tue, Oct 31st) ∗∗∗
---------------------------------------------
It has been a while that I did not find an interesting malicious Python script. All the scripts that I recently spotted were always the same: a classic intostealer using Discord as C2 channel. Today I found one that contains a lot of anti-sanboxing techniques. Let's review them. For malware, it's key to detect the environment where they are executed. When detonated inside a sandbox (automatically or, manually, by an Analyst), they will be able to change their behaviour (most likely, do nothing).
---------------------------------------------
https://isc.sans.edu/diary/rss/30362
∗∗∗ Malicious NuGet Packages Caught Distributing SeroXen RAT Malware ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment.
---------------------------------------------
https://thehackernews.com/2023/10/malicious-nuget-packages-caught.html
∗∗∗ LDAP authentication in Active Directory environments ∗∗∗
---------------------------------------------
Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post introduces them through the lens of Python libraries.
---------------------------------------------
https://offsec.almond.consulting/ldap-authentication-in-active-directory-environments.html
∗∗∗ Programmiersprache: End of Life für PHP 8.0 und Neues für PHP 8.3 ∗∗∗
---------------------------------------------
Die kommende Version 8.3 der Programmiersprache PHP hält einige Neuerungen bereit, und PHP 8.0 nähert sich dem Supportende.
---------------------------------------------
https://www.heise.de/-9348772
∗∗∗ Verkaufen auf etsy: Vorsicht vor betrügerischen Anfragen ∗∗∗
---------------------------------------------
Auf allen gängigen Verkaufsplattformen tummeln sich Kriminelle. Sie nehmen vor allem neue Nutzer:innen ins Visier, die die Abläufe noch nicht kennen. Wir zeigen Ihnen, wie Sie betrügerische Anfragen erkennen und sicher verkaufen!
---------------------------------------------
https://www.watchlist-internet.at/news/verkaufen-auf-etsy-vorsicht-vor-betruegerischen-anfragen/
∗∗∗ Lateral Movement: Abuse the Power of DCOM Excel Application ∗∗∗
---------------------------------------------
In this post, we will talk about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed component object model (DCOM) Excel application. This technique is built upon Matt Nelson’s initial research on “Lateral Movement using Excel.Application and DCOM”.
---------------------------------------------
https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
∗∗∗ Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla) ∗∗∗
---------------------------------------------
While tracking the evolution of Pensive Ursa (aka Turla, Uroburos), Unit 42 researchers came across a new, upgraded variant of Kazuar. Not only is Kazuar another name for the enormous and dangerous cassowary bird, Kazuar is an advanced and stealthy .NET backdoor that Pensive Ursa usually uses as a second stage payload.
---------------------------------------------
https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backdoor/
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücke in Confluence Data Center und Confluence Server ∗∗∗
---------------------------------------------
In allen Versionen von Confluence Data Center und Confluence Server existiert eine kritische Sicherheitslücke (CVE-2023-22518 CVSS: 9.1). Das Ausnutzen der Sicherheitslücke auf betroffenen Geräten ermöglicht nicht authentifizierten Angreifern den Zugriff auf interne Daten des Systems. Obwohl Atlassian bislang keine Informationen zur aktiven Ausnutzung der Lücke hat, wird das zeitnahe Einspielen der verfügbaren Patches empfohlen.
---------------------------------------------
https://cert.at/de/warnungen/2023/10/confluence-cve-2023-22518
∗∗∗ RCE exploit for Wyze Cam v3 publicly released, patch now ∗∗∗
---------------------------------------------
A security researcher has published a proof-of-concept (PoC) exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices [...] Wyze released firmware update version 4.36.11.7071, which addresses the identified issues, on October 22, 2023, so users are recommended to apply the security update as soon as possible.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/rce-exploit-for-wyze-cam-v3-publicly-released-patch-now/
∗∗∗ Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets ∗∗∗
---------------------------------------------
Three unpatched high-severity bugs in the NGINX ingress controller can be abused by miscreants to steal credentials and other secrets from Kubernetes clusters. The vulnerabilities, tracked as CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886, were disclosed on October 27, and are listed as currently awaiting triage. It's unclear if any of the flaws have been exploited.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/10/30/unpatched_nginx_ingress_controller_bugs/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (jetty9, node-browserify-sign, request-tracker4, and request-tracker5), Fedora (golang-github-altree-bigfloat, golang-github-seancfoley-bintree, golang-github-seancfoley-ipaddress, kitty, slurm, and thunderbird), Gentoo (ConnMan, libxslt, and Salt), Mageia (chromium-browser-stable), Red Hat (firefox, libguestfs-winsupport, and thunderbird), SUSE (clamav, gcc13, gstreamer-plugins-bad, icu73_2, java-17-openjdk, nodejs10, poppler, python-Werkzeug, redis, thunderbird, webkit2gtk3, xorg-x11-server, and xwayland), and Ubuntu (kernel, linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, linux-iot, linux-raspi, linux-raspi-5.4, and mysql-8.0).
---------------------------------------------
https://lwn.net/Articles/949391/
∗∗∗ FujiFilm printer credentials encryption issue fixed ∗∗∗
---------------------------------------------
Many multi-function printers made by FujiFilm Business Innovation Corporation (Fujifilm) which includes Apeos, ApeosPro, PrimeLink and RevoriaPress brands as well as Xerox Corporation (Xerox) which includes VersaLink, PrimeLink, and WorkCentre brands, allow administrators to store credentials on them to allow users to upload scans and other files to FTP and SMB file servers. With the default configuration of these printers, it’s possible to retrieve these credentials in an encrypted format without authenticating to the printer. A vulnerability in the encryption process of these credentials means that you can decrypt them with responses from the web interface. This has been given the ID CVE-2023-46327.
---------------------------------------------
https://www.pentestpartners.com/security-blog/fujifilm-printer-credentials-encryption-issue-fixed/
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.0.0, 6.1.0, 6.1.1, and 6.2.0: SC-202310.1 ∗∗∗
---------------------------------------------
TNS-2023-35 / Critical
9.8 / 8.8 (CVE-2023-38545),
3.7 / 3.4 (CVE-2023-38546)
---------------------------------------------
https://www.tenable.com/security/tns-2023-35
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ INEA ME RTU ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-02
∗∗∗ Zavio IP Camera ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-03
∗∗∗ Sonicwall: TunnelCrack Vulnerabilities ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0015
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list