Tageszusammenfassung - 02.10.2023

End-of-Day report

Timeframe: Freitag 29-09-2023 18:00 - Montag 02-10-2023 18:00 Handler: Stephan Richter Co-Handler: n/a

News

Meet LostTrust ransomware - A likely rebrand of the MetaEncryptor gang

The LostTrust ransomware operation is believed to be a rebrand of MetaEncryptor, utilizing almost identical data leak sites and encryptors.

https://www.bleepingcomputer.com/news/security/meet-losttrust-ransomware-a-likely-rebrand-of-the-metaencryptor-gang/

New Marvin attack revives 25-year-old decryption flaw in RSA

A flaw related to the PKCS #1 v1.5 padding in SSL servers discovered in 1998 and believed to have been resolved still impacts several widely-used projects today.

https://www.bleepingcomputer.com/news/security/new-marvin-attack-revives-25-year-old-decryption-flaw-in-rsa/

The Silent Threat of APIs: What the New Data Reveals About Unknown Risk

The rapid growth of APIs creates a widening attack surface and increasing unknown cybersecurity risks.

https://www.darkreading.com/attacks-breaches/silent-threat-of-apis-what-new-data-reveals-about-unknown-risk

Jetzt patchen: Exploit für kritische Sharepoint-Schwachstelle aufgetaucht

Er ist Teil einer sehr effektiven Exploit-Kette zur Schadcodeausführung auf Sharepoint-Servern, die ein Forscher kürzlich offenlegte.

https://www.golem.de/news/jetzt-patchen-exploit-fuer-kritische-sharepoint-schwachstelle-aufgetaucht-2309-178119.html

Cybercriminals Using New ASMCrypt Malware Loader to Fly Under the Radar

Threat actors are selling a new crypter and loader called ASMCrypt, which has been described as an "evolved version" of another loader malware known as DoubleFinger. "The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.," Kaspersky said in an analysis published this week.

https://thehackernews.com/2023/09/cybercriminals-using-new-asmcrypt.html

BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground

Cybersecurity experts have discovered yet another malware-as-a-service (MaaS) threat called BunnyLoader thats being advertised for sale on the cybercrime underground. "BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more," [...]

https://thehackernews.com/2023/10/bunnyloader-new-malware-as-service.html

Security researchers believe mass exploitation attempts against WS_FTP have begun

Early signs emerge after Progress Software said there were no active attempts last week Security researchers have spotted what they believe to be a "possible mass exploitation" of vulnerabilities in Progress Softwares WS_FTP Server.

https://go.theregister.com/feed/www.theregister.com/2023/10/02/ws_ftp_update/

Temporary suspension of automatic snap registration following security incident

On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps. As a consequence of these reports, the Snap Store team has immediately taken down these snaps, and they can no longer be searched or installed. Furthermore, the Snap Store team has placed a temporary manual review requirement on all new snap registrations, effectively immediately.

https://forum.snapcraft.io/t/temporary-suspension-of-automatic-snap-registration-following-security-incident/37077

The Hitchhikers Guide to Malicious Third-Party Dependencies

The increasing popularity of certain programming languages has spurred the creation of ecosystem-specific package repositories and package managers. Such repositories (e.g., NPM, PyPI) serve as public databases that users can query to retrieve packages for various functionalities, [...] In this work, we show how attackers can [...] achieve arbitrary code execution on victim machines, thereby realizing open-source software supply chain chain attacks.

https://arxiv.org/abs/2307.09087

Fritzbox-Sicherheitsleck analysiert: Risiko sogar bei deaktiviertem Fernzugriff

AVM schließt bei vielen Fritzboxen eine Sicherheitslücke. Unserer Analyse zufolge lässt sie sich aus der Ferne ausnutzen - sogar mit abgeschaltetem Fernzugriff.

https://www.heise.de/-9323225.html

BSI-Umfrage: Kritische Infrastrukturen haben Nachholbedarf bei IT-Sicherheit

Vor allem bei der Umsetzung organisatorischer Sicherheitsmaßnahmen hapert es noch bei Betreibern kritischer Infrastrukturen. Gründe: Personal- und Geldmangel.

https://www.heise.de/-9323606.html

Don-t Let Zombie Zoom Links Drag You Down

Many organizations - including quite a few Fortune 500 firms - have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization-s employees, customers or partners to phishing and other social engineering attacks.

https://krebsonsecurity.com/2023/10/dont-let-zombie-zoom-links-drag-you-down/

Silverfort Open Sources Lateral Movement Detection Tool

Silverfort has released the source code for its lateral movement detection tool LATMA, to help identify and analyze intrusions.

https://www.securityweek.com/silverfort-open-sources-lateral-movement-detection-tool/

Die Österreichische Post AG verkauft keine Zufallspakete für 2 Euro!

Betrügerische Werbeschaltungen auf Facebook spielen vor, dass die Post AG nicht zustellbare Pakete für nur 2 Euro verkauft. Angeblich haben Sie so die Möglichkeit, mit tollen Gegenständen wie Tablets, Kaffeemaschinen oder Büchern überrascht zu werden. Achtung: Es handelt sich um reinen Betrug. Werbung und Profile stammen nicht von der Post und die Pakete existieren nicht. Sie landen hier in einer Abo-Falle oder geben Ihr Zahlungsmittel unbeabsichtigt für Zahlungen durch Kriminelle frei.

https://www.watchlist-internet.at/news/die-oesterreichische-post-ag-verkauft-keine-zufallspakete-fuer-2-euro/

Keine Warnung zu den aktuellen Exim Schwachstellen (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119)

Am Mittwoch 27. September wurden durch die Zero Day Initiative sechs Schwachstellen (CVE-2023-42114, CVE-2023-42115, CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119) im Mail Transfer Agent (MTA) Exim veröffentlicht.[1][2][3][4][5][6] Nach interner Analyse und im Austausch mit Experten sind wir zu ähnlichen Schlüssen, wie nun auf der offiziellen Mailingliste des Projekts veröffentlicht[7], gekommen.

https://cert.at/de/aktuelles/2023/10/keine-warnung-zu-den-aktuellen-exim-schwachstellen-cve-2023-42114-cve-2023-42115-cve-2023-42116-cve-2023-42117-cve-2023-42118-cve-2023-42119

E-Mail-Angriff via Dropbox

BEC 3.0-Angriffe häufen sich und sind noch schwieriger zu erkennen, weil Hacker Links über legitime Dienste versenden.

https://www.zdnet.de/88412118/e-mail-angriff-via-dropbox/

Kritische Sicherheitsupdates: Chrome, Edge, Firefox, Thunderbird,Tor

Ende September 2023 gab es Sicherheitsupdates für diverse Software, die kritische Schwachstellen (0-Days) schließen sollen. Bei den Chromium-Browsern wurde eine Sicherheitslücke im V8 Encoder geschlossen (betrifft Google Chrome und beim Edge). Die Mozilla Entwickler haben ebenfalls Notfall-Updates für den Firefox und den Thunderbird herausgebracht. Und Tor wurde diesbezüglich ebenfalls aktualisiert. Ich fasse mal die Updates in diesem Sammelbeitrag zusammen.

https://www.borncity.com/blog/2023/10/02/kritische-sicherheitsupdates-chrome-edge-firefox-thunderbirdtor/

Bitsight identifies nearly 100,000 exposed industrial control systems

Bitsight has identified nearly 100,000 exposed industrial control systems (ICS) potentially allowing an attacker to access and control physical infrastructure.

https://www.bitsight.com/blog/bitsight-identifies-nearly-100000-exposed-industrial-control-systems

Vulnerabilities

JetBrains TeamCity Unauthenticated Remote Code Execution

Topic: JetBrains TeamCity Unauthenticated Remote Code Execution Risk: High Text:## # This module requires Metasploit [...]

https://cxsecurity.com/issue/WLB-2023100003

OpenRefines Zip Slip Vulnerability Could Let Attackers Execute Malicious Code

A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below.

https://thehackernews.com/2023/10/openrefines-zip-slip-vulnerability.html

Security updates available in PDF-XChange Editor/Tools 10.1.1.381

Released version 10.1.1.381, which addresses potential security and stability issues.

https://www.tracker-software.com/support/security-bulletins.html

Security updates for Monday

Security updates have been issued by Debian (chromium, cups, firefox-esr, firmware-nonfree, gerbv, jetty9, libvpx, mosquitto, open-vm-tools, python-git, python-reportlab, and trafficserver), Fedora (firefox, giflib, libvpx, libwebp, webkitgtk, and xen), Gentoo (Chromium, Google Chrome, Microsoft Edge, ClamAV, GNU Binutils, and wpa_supplicant, hostapd), Mageia (flac, giflib, indent, iperf, java, libvpx, libxml2, quictls, wireshark, and xrdp), Oracle (kernel), Slackware (libvpx and mozilla), and SUSE (bind, python, python-bugzilla, roundcubemail, seamonkey, and xen).

https://lwn.net/Articles/946186/

Suprema BioStar 2

Successful exploitation of this vulnerability could allow an attacker to perform a SQL injection to execute arbitrary commands.

https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-01