[CERT-daily] Tageszusammenfassung - 23.01.2024
Daily end-of-shift report
team at cert.at
Tue Jan 23 18:06:45 CET 2024
=====================
= End-of-Day report =
=====================
Timeframe: Montag 22-01-2024 18:00 − Dienstag 23-01-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries ∗∗∗
---------------------------------------------
Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate.
---------------------------------------------
https://thehackernews.com/2024/01/hackers-hijack-popular-java-and-android.html
∗∗∗ Cactus Ransomware malware analysis ∗∗∗
---------------------------------------------
On January 20th the Cactus ransomware group attacked a number of victims across varying industries. The attacks were disclosed on their leak site with the accompanying victim data.
---------------------------------------------
https://www.shadowstackre.com/analysis/cactus
∗∗∗ Vorsicht vor Peek & Cloppenburg Fake-Shops ∗∗∗
---------------------------------------------
Auf Facebook und Instagram werden gefälschte Angebote vom Modehaus „Peek & Cloppenburg“ beworben. In den gefälschten Werbeanzeigen werden Rabatte bis zu 90 % versprochen. Wenn Sie auf die Anzeige klicken, landen Sie in einem betrügerischen Shop, mit einer glaubwürdigen Internetadresse: „peek-cloppenburgsale.shop“.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-peek-cloppenburg-fake-shops/
∗∗∗ Threat Assessment: BianLian ∗∗∗
---------------------------------------------
We analyze the extremely active ransomware group BianLian. Mostly targeting healthcare, they have moved from double-extortion to extortion without encryption.
---------------------------------------------
https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/
∗∗∗ Conditional QR Code Routing Attacks ∗∗∗
---------------------------------------------
Over the summer, we saw a somewhat unexpected rise in QR-code based phishing attacks. These attacks were all fairly similar. The main goal was to induce the end-user to scan the QR Code, where they would be redirected to a credential harvesting page.
---------------------------------------------
https://blog.checkpoint.com/harmony-email/conditional-qr-code-routing-attacks/
∗∗∗ Lazarus Group Uses the DLL Side-Loading Technique (2) ∗∗∗
---------------------------------------------
Through the “Lazarus Group Uses the DLL Side-Loading Technique” [1] blog post, AhnLab SEcurity intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process.
---------------------------------------------
https://asec.ahnlab.com/en/60792/
∗∗∗ Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver ∗∗∗
---------------------------------------------
In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Fortra warns of new critical GoAnywhere MFT auth bypass, patch now ∗∗∗
---------------------------------------------
Fortra is warning of a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) versions before 7.4.1 that allows an attacker to create a new admin user.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fortra-warns-of-new-critical-goanywhere-mft-auth-bypass-patch-now/
∗∗∗ Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing ∗∗∗
---------------------------------------------
A recently discovered critical vulnerabilities (CVE-2023-45866, CVE-2024-21306) in Bluetooth can be exploited to inject keystrokes without user confirmation – by accepting any Bluetooth pairing request.
---------------------------------------------
https://www.mobile-hacker.com/2024/01/23/exploiting-0-click-android-bluetooth-vulnerability-to-inject-keystrokes-without-pairing/
∗∗∗ Sicherheitsfixes: Apple aktualisiert ältere Systeme – und räumt Zero Days ein ∗∗∗
---------------------------------------------
Apple hat neben macOS 14.3 und iOS 17.3 auch neue Versionen von iOS 15, 16, macOS 12 und 13 sowie Safari veröffentlicht. Es gab einen erneuten Zero-Day-Exploit.
---------------------------------------------
https://www.heise.de/news/Sicherheitsfixes-Apple-aktualisiert-aeltere-Systeme-und-raeumt-Zero-Days-ein-9605294.html
∗∗∗ Konfigurationsübertragung kann Behelfslösung zum Schutz von Ivanti ICS aufheben ∗∗∗
---------------------------------------------
Bislang können Admins Ivanti Connect Secure und Policy Secure nur über einen Workaround vor laufenden Attacken schützen. Dieser funktioniert aber nicht immer.
---------------------------------------------
https://www.heise.de/news/Konfigurationsuebertragung-kann-Behelfsloesung-zum-Schutz-von-Ivanti-ICS-aufheben-9605922.html
∗∗∗ Barracuda WAF: Kritische Sicherherheitslücken ermöglichen Umgehung des Schutzes ∗∗∗
---------------------------------------------
Barracuda hat einen Sicherheitshinweis bezüglich der Web Application Firewall veröffentlicht. Sicherheitslücken ermöglichen das Umgehen des Schutzes.
---------------------------------------------
https://www.heise.de/news/Barracuda-WAF-Kritische-Sicherherheitsluecken-ermoeglichen-Umgehung-des-Schutzes-9606036.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kodi and squid), Fedora (ansible-core, java-latest-openjdk, mingw-python-jinja2, openssh, and pgadmin4), Gentoo (Apache XML-RPC), Red Hat (gnutls and xorg-x11-server), Slackware (postfix), SUSE (bluez and openssl-3), and Ubuntu (gnutls28, libssh, and squid).
---------------------------------------------
https://lwn.net/Articles/959127/
∗∗∗ Splunk Security Advisories 2024-01-22 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ XSA-448 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-448.html
∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.7 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.7 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/
∗∗∗ Security Vulnerabilities fixed in Firefox 122 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/
∗∗∗ TRUMPF: Oseon contains vulnerable version of OpenSSL 1.1.x ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2024-006/
∗∗∗ TRUMPF: Multiple products include a vulnerable version of Notepad++ ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2024-003/
∗∗∗ TRUMPF: Multiple products contain vulnerable version of 7-zip ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2024-005/
∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-46838 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX587605/citrix-hypervisor-security-bulletin-for-cve202346838
∗∗∗ Crestron AM-300 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02
∗∗∗ Lantronix XPort ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-05
∗∗∗ Voltronic Power ViewPower Pro ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-03
∗∗∗ Orthanc Osimis DICOM Web Viewer ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01
∗∗∗ APsystems Energy Communication Unit (ECU-C) Power Control Software ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01
∗∗∗ Westermo Lynx 206-F2G ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list