[CERT-daily] Tageszusammenfassung - 27.09.2023

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 26-09-2023 18:00 − Mittwoch 27-09-2023 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Unzählige Anwendungen betroffen: WebP-Schwachstelle erreicht maximalen Schweregrad ∗∗∗
---------------------------------------------
Die Schwachstelle in der WebP-Bibliothek wurde zuvor fälschlicherweise als Chrome-Bug markiert. Sie betrifft aber weitaus mehr Anwendungen.
---------------------------------------------
https://www.golem.de/news/unzaehlige-anwendungen-betroffen-webp-schwachstelle-erreicht-maximalen-schweregrad-2309-178002.html


∗∗∗ Apple Releases MacOS Sonoma Including Numerous Security Patches, (Tue, Sep 26th) ∗∗∗
---------------------------------------------
As expected, Apple today released macOS Sonoma (14.0). This update, in addition to new features, provides patches for about 60 different vulnerabilities.
---------------------------------------------
https://isc.sans.edu/diary/rss/30252


∗∗∗ ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families ∗∗∗
---------------------------------------------
Cybersecurity experts have shed light on a new cybercrime group known as ShadowSyndicate (formerly Infra Storm) that may have leveraged as many as seven different ransomware families over the past year. "ShadowSyndicate is a threat actor that works with various ransomware groups and affiliates of ransomware programs," Group-IB and Bridewell said in a joint technical report.
---------------------------------------------
https://thehackernews.com/2023/09/shadowsyndicate-new-cybercrime-group.html


∗∗∗ Reports about Cyber Actors Hiding in Router Firmware ∗∗∗
---------------------------------------------
On September 27, 2023, a joint cybersecurity advisory (CSA) was released detailing activities of the cyber actors known as BlackTech. The CSA describes how BlackTech is able to modify router firmware without detection. [...] Cisco has reviewed the report. Cisco would like to highlight the following key facts: The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials. [...]
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csa-cyber-report-sept-2023


∗∗∗ Hacking htmx applications ∗∗∗
---------------------------------------------
With the normal flow of frontend frameworks moving from hipster to mainstream in the coming few months, during a test, you bump into this strange application that receives HTML with `hx-` attributes in responses. Congrats, you are testing your first htmx application, let me give you the building blocks to play with for testing this type of application.
---------------------------------------------
https://medium.com/@matuzg/hacking-htmx-applications-f8d29665faf


∗∗∗ A Deep Dive into Brute Ratel C4 payloads – Part 2 ∗∗∗
---------------------------------------------
Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t implement all the recent features of the framework. There aren’t a lot of Brute Ratel samples available in the wild. This second part of the analysis presents the remaining commands executed by the agent.
---------------------------------------------
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/


∗∗∗ Fake Bitwarden installation packages delivered RAT to Windows users ∗∗∗
---------------------------------------------
Windows users looking to install the Bitwarden password manager may have inadvertently installed a remote access trojan (RAT). The ZenRAT malware A malicious website spoofing Bitwarden’s legitimate one (located at bitwariden[.]com) has been offering fake installation packages containing the ZenRAT malware.
---------------------------------------------
https://www.helpnetsecurity.com/2023/09/27/windows-bitwarden-rat/


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Oracle (libtiff), Red Hat (libtiff, nodejs:16, and nodejs:18), Slackware (mozilla), SUSE (bind, cacti, cacti-spine, ImageMagick, kernel, libwebp, netatalk, open-vm-tools, postfix, quagga, wire, and wireshark), and Ubuntu (cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-bluefield, and linux-bluefield, linux-raspi, linux-raspi-5.4).
---------------------------------------------
https://lwn.net/Articles/945700/


∗∗∗ New GPU Side-Channel Attack Allows Malicious Websites to Steal Data ∗∗∗
---------------------------------------------
GPUs from AMD, Apple, Arm, Intel, Nvidia and Qualcomm are vulnerable to a new type of side-channel attack named GPU.zip.
---------------------------------------------
https://www.securityweek.com/new-gpu-side-channel-attack-allows-malicious-websites-to-steal-data/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ VMSA-2023-0020 ∗∗∗
---------------------------------------------
VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2023-34043)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0020.html


∗∗∗ K000136909 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000136909


∗∗∗ K000136907 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43124 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000136907


∗∗∗ semver-6.3.0.tgz is vulnerable to CVE-2022-25883 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7039430


∗∗∗ Okio GzipSource is vulnerable to CVE-2023-3635 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7039433


∗∗∗ Certifi is vulnerable to CVE-2023-37920 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7039436


∗∗∗ VMware Tanzu Spring for Apache Kafka is vulnerable to CVE-2023-34040 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7039438


∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-35890) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7039519


∗∗∗ Vulnerability found in Eclipse Jetty may affect IBM Enterprise Records ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7040603


∗∗∗ Vulnerability of jython-standalone-2.7.0.jar have affected APM WebSphere Application Server Agent and APM Tomcat Agent ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7040614


∗∗∗ IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7040672


∗∗∗ IBM Cognos Analytics is affected but not classified as vulnerable to vulnerabilities in IBM Websphere Application Server Liberty ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7040744


∗∗∗ The Bouncy Castle Crypto Package For Java (bc-java) component is vulnerable to CVE-2023-33201 is used by IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7028107


∗∗∗ Control Access issues in PCOMM ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/7031707

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily