[CERT-daily] Tageszusammenfassung - 22.01.2024

Daily end-of-shift report team at cert.at
Mon Jan 22 18:18:11 CET 2024


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 19-01-2024 18:00 − Montag 22-01-2024 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ Cracked software beats gold: new macOS backdoor stealing cryptowallets ∗∗∗
---------------------------------------------
We review a new macOS backdoor that piggybacks on cracked software to replace Bitcoin and Exodus wallets with malware.
---------------------------------------------
https://securelist.com/new-macos-backdoor-crypto-stealer/111778/


∗∗∗ Apache ActiveMQ Flaw Exploited in New Godzilla Web Shell Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers are warning of a "notable increase" in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts.
---------------------------------------------
https://thehackernews.com/2024/01/apache-activemq-flaw-exploited-in-new.html


∗∗∗ Confluence: Kritische Sicherheitslücke in veralteten Versionen wird ausgenutzt ∗∗∗
---------------------------------------------
Wie das Shadowserver-Projekt auf Mastodon meldet, durchpflügen Angreifer derzeit von 600 verschiedenen IP-Adressen das Netz nach möglichen Opfern. Eine simple HTTP-POST-Anfrage genügt, um die Sicherheitslücke auszunutzen und den Confluence-Server zu übernehmen. [..] Der Hersteller wies seine Kunden bereits am vergangenen Dienstag auf die Sicherheitslücke hin, die er wie 27 weitere im Rahmen des Atlassian-Patchday behoben hat.
---------------------------------------------
https://www.heise.de/-9605028


∗∗∗ VMware vCenter Server seit Monaten über CVE-2023-3404 angegriffen; Attacken weiten sich aus ∗∗∗
---------------------------------------------
Inzwischen hat auch VMware bestätigt, dass eine im Oktober 2023 gepatchte vCenter Server-Sicherheitslücke jetzt aktiv ausgenutzt wird. vCenter Server ist die Management-Plattform für VMware vSphere-Umgebungen, die Administratoren bei der Verwaltung von ESX- und ESXi-Servern und virtuellen Maschinen (VMs) unterstützt. [..] Sicherheitsforscher von Mandiant haben in diesem Beitrag offen gelegt, dass die chinesische Spionage-Gruppe UNC3886 diese Schwachstelle CVE-2023-34048 längst kannte und diese seit mindestens Ende 2021 aktiv angegriffen habe.
---------------------------------------------
https://www.borncity.com/blog/2024/01/22/vmware-vcenter-server-seit-monaten-ber-cve-2023-3404-angegriffen-attacken-weiten-sich-aus/


∗∗∗ NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts. The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.
---------------------------------------------
https://thehackernews.com/2024/01/ns-stealer-uses-discord-bots-to.html


∗∗∗ Domain Escalation – Backup Operator ∗∗∗
---------------------------------------------
The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically, these users have the SeBackupPrivilege assigned which enables them to read sensitive files from the domain controller i.e. Security Account Manager (SAM).
---------------------------------------------
https://pentestlab.blog/2024/01/22/domain-escalation-backup-operator/


∗∗∗ Vorsicht vor PayLife-E-Mails mit einem QR-Code ∗∗∗
---------------------------------------------
In einem gefälschten E-Mail werden Sie informiert, dass Ihre myPayLife App gesperrt ist. Angeblich können Sie keine Aufträge oder Internetzahlungen mehr freigeben. Um die Sperre aufzuheben, müssen Sie einen QR-Code scannen. Ignorieren Sie dieses E-Mail, es handelt sich um eine Phishing-Falle.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-paylife-e-mails-mit-einem-qr-code/


∗∗∗ Parrot TDS: A Persistent and Evolving Malware Campaign ∗∗∗
---------------------------------------------
Traffic detection system Parrot has infected tens of thousands of websites worldwide. We outline the scripting evolution of this injection campaign and its scope.
---------------------------------------------
https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/


∗∗∗ Is the Google search bar enough to hack Belgian companies? ∗∗∗
---------------------------------------------
In this blog post, we will go over a technique called Google Dorking and demonstrate how it can be utilized to uncover severe security vulnerabilities in web applications hosted right here in Belgium, where NVISO was founded.
---------------------------------------------
https://blog.nviso.eu/2024/01/22/is-the-google-search-bar-enough-to-hack-belgium-companies/


∗∗∗ The Confusing History of F5 BIG-IP RCE Vulnerabilities ∗∗∗
---------------------------------------------
If you want to know way too much about attacks against F5 BIG-IP devices, then this is the blog for you!
---------------------------------------------
https://www.greynoise.io/blog/the-confusing-history-of-f5-big-ip-rce-vulnerabilities



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Gambio 4.9.2.0 - Insecure Deserialization ∗∗∗
---------------------------------------------
Gambio is software designed for running online shops. It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions. According to their homepage, the software is used by more than 25.000 shops. Security Risk: Critical, CVE Number: Pending, Vendor Status: Not fixed
---------------------------------------------
https://herolab.usd.de/security-advisories/usd-2023-0046/


∗∗∗ Sicherheitsupdates: Schlupflöcher für Schadcode in Lexmark-Druckern geschlossen ∗∗∗
---------------------------------------------
Angreifer können an vielen Druckermodellen von Lexmark ansetzen, um Geräte zu kompromittieren. Derzeit soll es noch keine Attacken geben.
---------------------------------------------
https://www.heise.de/-9604795


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (keystone and subunit), Fedora (dotnet6.0, golang, kernel, sos, and tigervnc), Mageia (erlang), Red Hat (openssl), SUSE (bluez, python-aiohttp, and seamonkey), and Ubuntu (postfix and xorg-server).
---------------------------------------------
https://lwn.net/Articles/959006/


∗∗∗ Critical Vulnerabilities Found in Open Source AI/ML Platforms ∗∗∗
---------------------------------------------
Security researchers flag multiple severe vulnerabilities in open source AI/ML solutions MLflow, ClearML, Hugging Face.The post Critical Vulnerabilities Found in Open Source AI/ML Platforms appeared first on SecurityWeek.
---------------------------------------------
https://www.securityweek.com/critical-vulnerabilities-found-in-ai-ml-open-source-platforms/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ WAGO: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2024-007/


∗∗∗ Spring: CVE-2024-22233: Spring Framework server Web DoS Vulnerability ∗∗∗
---------------------------------------------
https://spring.io/blog/2024/01/22/cve-2024-22233-spring-framework-server-web-dos-vulnerability


∗∗∗ Roundcube: Update 1.6.6 released ∗∗∗
---------------------------------------------
https://roundcube.net/news/2024/01/20/update-1.6.6-released

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list