Tageszusammenfassung - 12.10.2023

End-of-Day report

Timeframe: Mittwoch 11-10-2023 18:00 - Donnerstag 12-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Well, this SOCKS - curl SOCKS 5 Heap Buffer Overflow (CVE-2023-38545)

Nachdem letzte Woche ein Advisory zu "der schlimmsten Schwachstelle in curl seit Langem" angekündigt wurde, konnten verängstigte, verschlafene und chronisch unterkoffeinierte Admins und Security-Spezialisten nach der gestrigen Veröffentlichung den Schaden begutachten. Die gute Nachricht: Die Apokalypse ist an uns vorüber gegangen. Die schlechte Nachricht: Mit dem CVSS(v2) Score lässt sich die Schwere einer Schwachstelle nicht immer ausreichend abbilden.

https://cert.at/de/blog/2023/10/well-this-socks-curl-socks-5-heap-buffer-overflow-cve-2023-38545

ToddyCat: Keep calm and check logs

In this article, we-ll describe ToddyCat new toolset, the malware used to steal and exfiltrate data, and the techniques used by this group to move laterally and conduct espionage operations.

https://securelist.com/toddycat-keep-calm-and-check-logs/110696/

Malicious NuGet Package Targeting .NET Developers with SeroXen RAT

A malicious package hosted on the NuGet package manager for the .NET Framework has been found to deliver a remote access trojan called SeroXen RAT. The package, named Pathoschild.Stardew.Mod.Build.Config and published by a user named Disti, is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig, software supply chain security firm Phylum said in a report today. While the real package has received nearly 79,000 downloads to date, the malicious variant is said to have artificially inflated its download count after being published on October 6, 2023, to surpass 100,000 downloads.

https://thehackernews.com/2023/10/malicious-nuget-package-targeting-net.html

New paper: Nexus Android banking botnet - compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

https://www.virusbulletin.com/blog/2023/10/new-paper-nexus-android-banking-botnet-compromising-cc-panels-and-dissecting-mobile-appinjects/

Backdoor Malware Found on WordPress Website Disguised as Legitimate Plugin

A backdoor deployed on a compromised WordPress website poses as a legitimate plugin to hide its presence.

https://www.securityweek.com/backdoor-malware-found-on-wordpress-website-disguised-as-legitimate-plugin/

Using Velociraptor for large-scale endpoint visibility and rapid threat hunting

In this post we give on overview of some of the capabilities of Velociraptor, and also how we have leveraged them to conduct some real-time threat hunting shedding light on how it can equip security teams to proactively safeguard digital environments.

https://www.pentestpartners.com/security-blog/using-velociraptor-for-large-scale-endpoint-visibility-and-rapid-threat-hunting/

Angebliche Branchenbücher und Firmenverzeichnisse locken in teure Abo-Falle!

Aktuell werden uns zahlreiche unseriöse Branchen-, Adressen- und Firmenverzeichnisse gemeldet, die versuchen Unternehmen das Geld aus der Tasche zu ziehen. Per E-Mail, Telefon oder Fax werden Unternehmen dazu überredet, sich in ein nutzloses und oft gar nicht existierendes Branchenbuch einzutragen. Wer auf das Angebot eingeht, schließt ein überteuertes Abo ab, das nur schwer zu kündigen ist. Betroffen von dieser Abzocke sind vor allem kleine und mittlere Unternehmen.

https://www.watchlist-internet.at/news/angebliche-branchenbuecher-und-firmenverzeichnisse-locken-in-teure-abo-falle/

XOR Known-Plaintext Attacks

In this blog post, we show in detail how a known-plaintext attack on XOR encoding works, and automate it with custom tools to decrypt and extract the configuration of a Cobalt Strike beacon. If you are not interested in the theory, just in the tools, go straight to the conclusion.

https://blog.nviso.eu/2023/10/12/xor-known-plaintext-attacks/

Vulnerabilities

An analysis of PoS/ cashIT! cash registers

This report summarizes our findings about vulnerabilities in cashIT!, a cash register system implementing the Austrian cash registers security regulation (RKSV). Besides lack of encryption, outdated software components and low-entropy passwords, these weaknesses include a bypass of origin checks (CVE-2023-3654), unauthenticated remote database exfiltration (CVE-2023-3655), and unauthenticated remote code with administrative privileges on the cash register host machines (CVE-2023-3656). Based on our analysis result, these vulnerabilities affect over 200 cash register installations in Austrian restaurants that are accessible over the Internet.

https://epub.jku.at/obvulioa/content/titleinfo/9142358

Sicherheitsupdates: Backdoor-Lücke bedroht Netzwerkgeräte von Juniper

Schwachstellen im Netzwerkbetriebssystem Junos OS bedrohen Routing-, Switching- und Sicherheitsgeräte von Juniper.

https://www.heise.de/-9332169

10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows

Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device [..] All these vulnerabilities also have a severity score of 9.8. Talos is disclosing these vulnerabilities despite no official patch from Yifan, all in adherence to Cisco-s third-party vendor vulnerability disclosure policy.

https://blog.talosintelligence.com/vulnerability-roundup-webkit-and-yifan-router/

40 Schwachstellen in IBM-Sicherheitslösung QRadar SIEM geschlossen

Mehrere Komponenten in IBM QRadar SIEM weisen Sicherheitslücken auf und gefährden das Security-Information-and-Event-Management-System.

https://www.heise.de/-9332542

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 2, 2023 to October 8, 2023)

Last week, there were 92 vulnerabilities disclosed in 88 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week.

https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-october-2-2023-to-october-8-2023/

Security updates for Thursday

Security updates have been issued by Debian (libcue, org-mode, python3.7, and samba), Fedora (libcue, oneVPL, oneVPL-intel-gpu, and xen), Mageia (glibc), Oracle (glibc, kernel, libssh2, libvpx, nodejs, and python-reportlab), Slackware (libcaca), SUSE (gsl, ImageMagick, kernel, opensc, python-urllib3, qemu, rage-encryption, samba, and xen), and Ubuntu (curl and samba).

https://lwn.net/Articles/947570/

CVE-2023-3281 Cortex XSOAR: Cleartext Exposure of Client Certificate Key in Kafka v3 Integration (Severity: MEDIUM)

https://security.paloaltonetworks.com/CVE-2023-3281

IBM Aspera Faspex has addressed an IP address restriction bypass vulnerability

https://www.ibm.com/support/pages/node/7048851

Vulnerability of okio-1.13.0.jar is affecting APM WebSphere Application Server Agent, APM Tomcat Agent, APM SAP NetWeaver Java Stack Agent, APM WebLogic Agent and APM Data Collector for J2SE

https://www.ibm.com/support/pages/node/7051173

IBM App Connect Enterprise is vulnerable to a potential information disclosure

https://www.ibm.com/support/pages/node/7051204