End-of-Day report
Timeframe: Montag 09-10-2023 18:00 - Dienstag 10-10-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Patch Now: Massive RCE Campaign Wrangles Routers Into Botnet
Thousands of devices, including D-Link and Zyxel gear, remain vulnerable to takeover despite the availability of patches for the several bugs being exploited by IZ1H9 campaign.
https://www.darkreading.com/cloud/patch-now-massive-rce-campaign-d-link-zyxel-botnet
Over 17,000 WordPress sites hacked in Balada Injector attacks last month
Multiple Balada Injector campaigns have compromised and infected over 17,000 WordPress sites using known flaws in premium theme plugins.
https://www.bleepingcomputer.com/news/security/over-17-000-wordpress-sites-hacked-in-balada-injector-attacks-last-month/
The Art of Concealment: A New Magecart Campaign That-s Abusing 404 Pages
A new, sophisticated, and covert Magecart web skimming campaign has been targeting Magento and WooCommerce websites.
https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer
Inzwischen vorhanden: Details zu gefixten Lücken in iOS 17 und Co.
Als iOS 17, iPadOS 17, watchOS 10 und tvOS 17 erschienen, machte Apple keine Angaben zu enthaltenen Sicherheitspatches. Mittlerweile lassen sie sich einsehen.
https://www.heise.de/-9319162
-HTTP/2 Rapid Reset- Zero-Day Exploited to Launch Largest DDoS Attacks in History
Cloudflare, Google and AWS revealed on Tuesday that a new zero-day vulnerability named -HTTP/2 Rapid Reset- has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history.
https://www.securityweek.com/rapid-reset-zero-day-exploited-to-launch-largest-ddos-attacks-in-history/
Take a note of SpyNote!
Among noteworthy spyware, one that has been in the limelight recently is SpyNote. This spyware app spreads via smishing (i.e. malicious SMS messages) by urging the victims to install the app from provided links. Naturally, the hosting and downloading happen outside of the official Play Store app, to prevent the security evaluation done by Google Play Store from thwarting the spread of this spyware.
https://blog.f-secure.com/take-a-note-of-spynote/
Android-Geräte ab Werk mit Malware infiziert
Settop-Boxen mit bestimmten Chipsätzen von Allwinner und Rockchip enthalten den Trojaner Badbox. Der zeigt unterwünschte Werbung an und verbreitet schädliche Apps.
https://www.zdnet.de/88412275/android-geraete-ab-werk-mit-malware-infiziert/
Infostealer with Abnormal Certificate Being Distributed
Recently, there has been a high distribution rate of malware using abnormal certificates. Malware often disguise themselves with normal certificates. However, in this case, the malware entered the certificate information randomly, with the Subject Name and Issuer Name fields having unusually long strings. As a result, the certificate information is not visible in Windows operating systems, and a specific tool or infrastructure is required to inspect the structure of these certificates.
https://asec.ahnlab.com/en/57553/
CISA, Government, and Industry Partners Publish Fact Sheet for Organizations Using Open Source Software
This guidance is intended to assist both senior leadership and operations personnel at OT/ICS vendors and critical infrastructure entities with better management of risk from OSS use in OT/ICS products, to include software supply chain, and increase resilience using available resources.
https://www.cisa.gov/news-events/news/cisa-government-and-industry-partners-publish-fact-sheet-organizations-using-open-source-software
Vulnerabilities
Per SSID: Schwachstelle in D-Link-Repeater erlaubt Codeausführung
Beim Netzwerk-Scan des D-Link DAP-X1860 kann es zu einer unerwünschten Codeausführung kommen. Über spezielle SSIDs sind Angriffe möglich.
https://www.golem.de/news/per-ssid-schwachstelle-in-d-link-repeater-erlaubt-codeausfuehrung-2310-178351.html
Siemens Security Advisories 2023-10-10
SSA-843070: SCALANCE W1750D, SSA-829656: Xpedition Layout Browser, SSA-784849: SIMATIC CP Devices, SSA-770890: SICAM A8000 Devices, SSA-647455: RUGGEDCOM APE1808 devices, SSA-594373: SINEMA Server V14, SSA-524778: Tecnomatix Plant Simulation, SSA-386812: Simcenter Amesim before V2021.1, SSA-295483: Mendix, SSA-160243: SINEC NMS before V2.0, SSA-134651: SICAM A8000 Devices, SSA-035466: SICAM PAS/PQS
https://www.siemens.com/global/en/products/services/cert.html#SecurityPublications
Backup: Acronis schließt Sicherheitslücken im Agent für Linux, Mac und Windows
Acronis hat eine Aktualisierung des Agent für Linux, Mac und Windows veröffentlicht. Sie dichtet unter anderem ein Leck mit hohem Risiko ab.
https://www.heise.de/-9329516
Sicherheitsupdates: Schadcode- und Root-Lücken bedrohen IBM-Software
IBM hat unter anderem im Datenbankmanagementsystem Db2 schwerwiegende Schwachstellen geschlossen.
https://www.heise.de/-9329404
Security updates for Tuesday
Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown).
https://lwn.net/Articles/947233/
One-Click GNOME Exploit Could Pose Serious Threat to Linux Systems
A one-click exploit targeting the Libcue component of the GNOME desktop environment could pose a serious threat to Linux systems.
https://www.securityweek.com/one-click-gnome-exploit-could-pose-serious-threat-to-linux-systems/
SAP Releases 7 New Notes on October 2023 Patch Day
SAP has released seven new notes as part of its October 2023 Security Patch Day, all rated -medium severity-.
https://www.securityweek.com/sap-releases-7-new-notes-on-october-2023-patch-day/
Unverschlüsselte Bluetoothverbindung bei Smartwatch Amazfit Bip U (SYSS-2023-022)
Die Smartwatch Amazfit Bip U kommuniziert unverschlüsselt mit dem verbundenen Smartphone. Alle Nachrichten können daher von Angreifenden abgehört werden.
https://www.syss.de/pentest-blog/unverschluesselte-bluetoothverbindung-bei-smartwatch-amazfit-bip-u-syss-2023-022
Ivanti Endpoint Manager new vulnerabilities
There are two vulnerabilities we have recently discovered that impact Ivanti Endpoint Manager (EPM) versions 2022 and below. They both have CVSS scores in the -Moderate- range. We are reporting them as CVE-2023-35083 and CVE-2023-35084.
https://www.ivanti.com/blog/ivanti-endpoint-manager-new-vulnerabilities
F5 BIG-IP Security Advisories 2023-10-10
https://my.f5.com/manage/s/new-updated-articles#sort=%40f5_updated_published_date%20descending&periodFilter=0&dateField=0
Xen Security Advisories
https://xenbits.xen.org/xsa/
Citrix NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967
https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
Citrix Hypervisor Multiple Security Updates
https://support.citrix.com/article/CTX575089/citrix-hypervisor-multiple-security-updates