[CERT-daily] Tageszusammenfassung - 13.02.2024

Tue Feb 13 18:52:55 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 12-02-2024 18:00 − Dienstag 13-02-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ The (D)Evolution of Pikabot ∗∗∗
---------------------------------------------
Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage in the second half of 2023 following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time. In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/d-evolution-pikabot


∗∗∗ GMX, Web.de, Online-Dienste: Angriffe auf Zugangsdaten nehmen zu ∗∗∗
---------------------------------------------
Etwas alarmistisch melden einige Medien, dass es vermehrt Angriffe auf Zugangskonten von GMX oder Web.de gebe, die unter anderem sehr populäre Webmail-Dienste bereitstellen. Es werden dort bei zahlreichen Konten sehr hohe Zahlen für fehlerhafte Log-in-Versuche angezeigt. Es handelt sich offenbar um die alltäglichen Angriffe auf Zugangsdaten von Cyberkriminellen, die versuchen, mit gestohlenen Accountinformationen auf Online-Dienste zuzugreifen.
---------------------------------------------
https://www.heise.de/-9626994


∗∗∗ Vorsicht vor gefälschten WKÖ-E-Mails ∗∗∗
---------------------------------------------
Kriminelle geben sich als Wirtschaftskammer Österreich aus und bitten Unternehmen in einem E-Mail, Kontaktdaten zu aktualisieren. Klicken Sie keinesfalls auf den Link, Sie werden auf eine gefälschte WKÖ-Seite geführt. Dort stehlen Kriminelle Firmen- und Bankdaten.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-wkoe-e-mails/


∗∗∗ Directory.ReadWrite.All Is Not As Powerful As You Might Think ∗∗∗
---------------------------------------------
Directory.ReadWrite.All is an MS Graph permission that is frequently cited as granting high amounts of privilege, even being equated to the Global Admin Entra ID role [..] Misleading or incorrect documentation create most of the misconceptions regarding this permission.
---------------------------------------------
https://posts.specterops.io/directory-readwrite-all-is-not-as-powerful-as-you-might-think-c5b09a8f78a8


∗∗∗ Ongoing Microsoft Azure account hijacking campaign targets executives ∗∗∗
---------------------------------------------
A phishing campaign detected in late November 2023 has compromised hundreds of user accounts in dozens of Microsoft Azure environments, including those of senior executives.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ongoing-microsoft-azure-account-hijacking-campaign-targets-executives/


∗∗∗ Fileless Revenge RAT Malware ∗∗∗
---------------------------------------------
AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as ‘smtp-validator’ and ‘Email To Sms’. At the time of execution, the malware creates and runs both a legitimate tool and a malicious file, making it difficult for users to realize that a malicious activity has occurred.
---------------------------------------------
https://asec.ahnlab.com/en/61584/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Request Tracker Write-up (CVE-2023-41259, CVE-2023-41260) ∗∗∗
---------------------------------------------
Without authentication we were able to extract file-attachments that were uploaded to RT, including e-mails received from and to users regarding tickets and issues. We also found it was possible to obtain information about tickets and users.
---------------------------------------------
https://www.linkedin.com/pulse/request-tracker-write-up-tom-wolters-ygsae


∗∗∗ PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor ∗∗∗
---------------------------------------------
An attacker can publish a zone that contains crafted DNSSEC related records. While validating results from queries to that zone using the RFC mandated algorithms, the Recursor’s resource usage can become so high that processing of other queries is impacted, resulting in a denial of service. Note that any resolver following the RFCs can be impacted, this is not a problem of this particular implementation.
---------------------------------------------
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html


∗∗∗ DNS-Server: Bind und Unbound stolpern über Sicherheitslücke "KeyTrap" ∗∗∗
---------------------------------------------
Mit einer präparierten DNS-Anfrage können Angreifer eine hohe Prozessorlast verursachen und den Dienst für legitime Nutzer so blockieren. Patches stehen bereit.
---------------------------------------------
https://www.heise.de/-9627276


∗∗∗ Sicherheitslücken: Angreifer können Dell Unity kompromittieren ∗∗∗
---------------------------------------------
Die Fehler stecken in Dell Unity Operating Enviroment (OE). Die Entwickler geben an, die Ausgabe 5.4.0.0.5.094 repariert zu haben. Von den Sicherheitsproblemen sind unter anderem Dell EMC Unity, Dell EMC Unity XT 380F und Dell EMC Unity Hybrid betroffen. Alle verwundbaren Produkte sind in der Warnmeldung aufgelistet.
---------------------------------------------
https://www.heise.de/-9626407


∗∗∗ Qnap: Sicherheitslücken in Firmware erlauben Einschleusen von Befehlen ∗∗∗
---------------------------------------------
In der Sicherheitswarnung schreibt Qnap, dass es sich um zwei Schwachstellen handelt. Die Beschreibung für beide lautet: Eine Befehlsschmuggel-Schwachstelle wurde in mehreren Qnap-Betriebssystemversionen gemeldet. Sofern sie missbraucht werden, erlauben sie Nutzern, Befehle über das Netzwerk auszuführen (CVE-2023-47218, CVE-2023-50358, CVSS 5.8, Risiko "mittel").
---------------------------------------------
https://www.heise.de/-9626319


∗∗∗ SAP patcht: 13 Sicherheitslücken abgedichtet ∗∗∗
---------------------------------------------
SAP verteilt Software-Updates, die Schwachstellen aus 13 Sicherheitsmitteilungen ausbessern. Eine Lücke ist kritisch.
---------------------------------------------
https://www.heise.de/-9626592


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (clamav and virtiofsd), Oracle (gimp), Red Hat (gnutls and nss), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t and squid), and Ubuntu (openssl).
---------------------------------------------
https://lwn.net/Articles/961937/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ TYPO3 Security Advisories ∗∗∗
---------------------------------------------
https://typo3.org/help/security-advisories


∗∗∗ Autodesk: Multiple Vulnerabilities in Autodesk InfraWorks software ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0001


∗∗∗ Mitsubishi Electric MELSEC iQ-R Series Safety CPU ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-044-01


∗∗∗ HIMA: Multiple products affected by DoS and Port-Based-VLAN Crossing ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2024-013/


∗∗∗ Schneider Electric Security Advisories ∗∗∗
---------------------------------------------
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp


∗∗∗ SSA-943925 V1.0: Multiple Vulnerabilities in SINEC NMS before V2.0 SP1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-943925.html


∗∗∗ SSA-871717 V1.0: Multiple Vulnerabilities in Polarion ALM ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-871717.html


∗∗∗ SSA-806742 V1.0: Multiple Vulnerabilities in SCALANCE XCM-/XRM-300 before V2.4 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-806742.html


∗∗∗ SSA-797296 V1.0: XT File Parsing Vulnerability in Parasolid ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-797296.html


∗∗∗ SSA-753746 V1.0: Denial of Service Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-753746.html


∗∗∗ SSA-716164 V1.0: Multiple Vulnerabilities in Scalance W1750D ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-716164.html


∗∗∗ SSA-665034 V1.0: Vulnerability in Nozomi Guardian/CMC before 23.3.0 on RUGGEDCOM APE1808 devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-665034.html


∗∗∗ SSA-647068 V1.0: Ripple20 in SIMATIC RTLS Gateways ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-647068.html


∗∗∗ SSA-602936 V1.0: Multiple Vulnerabilities in SCALANCE SC-600 Family before V3.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-602936.html


∗∗∗ SSA-580228 V1.0: Use of Hard-Coded Credentials Vulnerability in Location Intelligence before V4.3 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-580228.html


∗∗∗ SSA-543502 V1.0: Local Privilege Escalation Vulnerability in Unicam FX ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-543502.html


∗∗∗ SSA-516818 V1.0: TCP Sequence Number Validation Vulnerability in the TCP/IP Stack of CP343-1 Devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-516818.html


∗∗∗ SSA-108696 V1.0: Multiple Vulnerabilities in SIDIS Prime before V4.0.400 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-108696.html


∗∗∗ SSA-017796 V1.0: Multiple File Parsing Vulnerabilities in Tecnomatix Plant Simulation ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-017796.html


∗∗∗ SSA-000072 V1.0: Multiple File Parsing Vulnerabilities in Simcenter Femap ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-000072.html

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily