End-of-Day report
Timeframe: Freitag 13-10-2023 18:00 - Montag 16-10-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
DarkGate malware spreads through compromised Skype accounts
Between July and September, DarkGate malware attacks have used compromised Skype accounts to infect targets through messages containing VBA loader script attachments.
https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-through-compromised-skype-accounts/
Scanning evasion issue in Cisco Secure Email Gateway
Cisco Secure Email Gateway provided by Cisco Systems may fail to detect specially crafted files.
https://jvn.jp/en/jp/JVN58574030/
Security review for Microsoft Edge version 118
We are pleased to announce the security review for Microsoft Edge, version 118! We have reviewed the new settings in Microsoft Edge version 118 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 117 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit.
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-review-for-microsoft-edge-version-118/ba-p/3955123
SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls
The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure.
https://thehackernews.com/2023/10/spynote-beware-of-this-android-trojan.html
Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign
Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems."The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 [..]
https://thehackernews.com/2023/10/pro-russian-hackers-exploiting-recent.html
Signal says there is no evidence rumored zero-day bug is real
As this is an ongoing investigation, and the mitigation is to simply disable the Link Previews feature, users may want to turn this setting off for the time being until its fully confirmed not to be real.
https://www.bleepingcomputer.com/news/security/signal-says-there-is-no-evidence-rumored-zero-day-bug-is-real/
-EtherHiding- - Hiding Web2 Malicious Code in Web3 Smart Contracts
Over the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake -browser updates-. While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they-ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down.
https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16
Blocking Dedicated Attacking Hosts Is Not Enough: In-Depth Analysis of a Worldwide Linux XorDDoS Campaign
We provide a comprehensive analysis of the XorDDoS Trojans attacking behaviors. Subsequently, we unveil the intricate network infrastructure orchestrating the campaigns botnet. Lastly, we introduce the advanced signatures derived from the key attacking hotspots, including hostnames, URLs and IP addresses. These signatures effectively identified over 1,000 XorDDoS C2 traffic sessions in August 2023 alone.
https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-delivers-malware/
WS_FTP: Ransomware-Attacken auf ungepatchte Server
In WS_FTP hat Hersteller Progress kürzlich teils kritische Sicherheitslücken geschlossen. Inzwischen sieht Sophos Ransomware-Angriffe darauf.
https://www.heise.de/news/WS-FTP-Ransomware-Attacken-auf-ungepatchte-Server-9335146.html
Milesight Industrial Router Vulnerability Possibly Exploited in Attacks
A vulnerability affecting Milesight industrial routers, tracked as CVE-2023-4326, may have been exploited in attacks.
https://www.securityweek.com/milesight-industrial-router-vulnerability-possibly-exploited-in-attacks/
Sie verkaufen auf Willhaben? Diese Betrugsmasche sollten Sie kennen!
Auf Willhaben und anderen Verkaufsplattformen begegnen Ihnen sicherlich auch mal Betrüger:innen. Besonders vorsichtig sollten Sie sein, wenn Sie zum ersten Mal verkaufen und Sie den Ablauf eines Verkaufs noch nicht so gut kennen. Wir zeigen Ihnen eine gängige Betrugsmasche und wie Sie sich davor schützen!
https://www.watchlist-internet.at/news/sie-verkaufen-auf-willhaben-diese-betrugsmasche-sollten-sie-kennen/
curl-Schwachstelle durch Microsoft ungepatcht
In der Bibliothek und im Tool curl gibt es in älteren Versionen eine Schwachstelle, die vom Projekt am 11. Oktober 2023 mit der Version 8.4.0 geschlossen wurde. Microsoft liefert curl mit Windows aus, und es stellte sich die Frage, ob curl zum Patchday, 10. Oktober 2023, ebenfalls aktualisiert wurde. Mein Stand ist, dass in Windows auch nach den Oktober 2023-Updates die veraltete curl-Version enthalten ist.
https://www.borncity.com/blog/2023/10/14/curl-schwachstelle-durch-microsoft-ungepatcht/
Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.
https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a
Vulnerabilities
Exim bugs
Fixed in 4.96.2/4.97:
- CVE-2023-42117: Improper Neutralization of Special Elements
- CVE-2023-42119: dnsdb Out-Of-Bounds Read
libspf2 Integer Underflow:
- CVE-2023-42118: Mitigation: Do not use the `spf` condition in your ACL
https://exim.org/static/doc/security/CVE-2023-zdi.txt
Wordpress: Übernahme durch Lücke in Royal Elementor Addons and Template
Im Wordpress-Plug-in Royal Elementor Addons and Template missbrauchen Cyberkriminelle eine kritische Lücke. Sie nutzen sie zur Übernahme von Instanzen.
https://www.heise.de/news/Wordpress-Uebernahme-durch-Luecke-in-Royal-Elementor-Addons-and-Template-9335615.html
Samba: Neue Versionen beheben mehrere Sicherheitslücken
Durch verschiedene Programmierfehler konnten Angreifer auf geheime Informationen bis hin zum Kerberos-TGT-Passwort zugreifen. Aktualisierungen stehen bereit.
https://www.heise.de/news/Samba-Neue-Versionen-beheben-mehrere-Sicherheitsluecken-9335169.html
Security updates for Monday
Security updates have been issued by Debian (batik, poppler, and tomcat9), Fedora (chromium, composer, curl, emacs, ghostscript, libwebp, libXpm, netatalk, nghttp2, python-asgiref, python-django, and webkitgtk), Mageia (curl and libX11), Oracle (bind, busybox, firefox, and kernel), Red Hat (curl, dotnet6.0, dotnet7.0, and nginx), SUSE (chromium, cni, cni-plugins, grub2, netatalk, opensc, opera, and wireshark), and Ubuntu (iperf3).
https://lwn.net/Articles/947891/
Vulnerabilities in Video Station
Three vulnerabilities have been reported to affect Video Station:
- CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities
- CVE-2023-34977: Cross-site scripting (XSS) vulnerability
If exploited, these vulnerabilities could allow authenticated users to inject malicious code via a network.
https://www.qnap.com/en-us/security-advisory/QSA-23-52
Vulnerabilities in QTS, QuTS hero, and QuTScloud
Two vulnerabilities have been reported to affect several QNAP operating system versions:
- CVE-2023-32970: If exploited, the null pointer dereference vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network.
- CVE-2023-32973: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network.
https://www.qnap.com/en-us/security-advisory/QSA-23-41
Vulnerability in QTS, QuTS hero, and QuTScloud
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read and expose sensitive data via a network.
https://www.qnap.com/en-us/security-advisory/QSA-23-42
Vulnerability in Container Station
An OS command injection vulnerability has been reported to affect Container Station. If exploited, the vulnerability could allow authenticated administrators to execute arbitrary commands via a network.
https://www.qnap.com/en-us/security-advisory/QSA-23-44
web2py vulnerable to OS command injection
https://jvn.jp/en/jp/JVN80476432/
cURL and libcurl Vulnerability Affecting Cisco Products: October 2023
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-curl-libcurl-D9ds39cV
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
FortiSandbox - XSS on delete endpoint
https://fortiguard.fortinet.com/psirt/FG-IR-23-311
FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint
https://fortiguard.fortinet.com/psirt/FG-IR-23-215
FortiSandbox - Arbitrary file delete
https://fortiguard.fortinet.com/psirt/FG-IR-23-280
Red Lion Europe: Vulnerability allows access to non-critical information in mbCONNECT24 and mymbCONNECT24
https://cert.vde.com/de/advisories/VDE-2023-041/
Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual
https://cert.vde.com/de/advisories/VDE-2023-043/
2023-10 Security Bulletin: Junos OS and Junos OS Evolved: High CPU load due to specific NETCONF command (CVE-2023-44184)
https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-High-CPU-load-due-to-specific-NETCONF-command-CVE-2023-44184
IBM Security Verify Access Appliance has multiple security vulnerabilities
https://www.ibm.com/support/pages/node/7009735
Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products.
https://www.ibm.com/support/pages/node/6953617
Security Vulnerabilities fixed in IBM Security Verify Access (CVE-2022-40303)
https://www.ibm.com/support/pages/node/7009741
IBM Security Verify Access OpenID Connect Provider container has fixed multiple vulnerabilities (CVE-2022-43868, CVE-2022-43739, CVE-2022-43740)
https://www.ibm.com/support/pages/node/7028513
IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433)
https://www.ibm.com/support/pages/node/7012613
Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946)
https://www.ibm.com/support/pages/node/7014261
IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342)
https://www.ibm.com/support/pages/node/7014259
Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9.
https://www.ibm.com/support/pages/node/7052776
Multiple Vulnerabilities of Apache HttpClient have affected IBM Jazz Reporting Service
https://www.ibm.com/support/pages/node/7052811
Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Jazz Reporting Services.
https://www.ibm.com/support/pages/node/7052810
IBM Jazz Reporting Service is vulnerable to a denial of service (CVE-2023-35116)
https://www.ibm.com/support/pages/node/7052809
Vulnerability with snappy-java affect IBM Cloud Object Storage Systems (Oc2023v1)
https://www.ibm.com/support/pages/node/7052829
Require strict cookies for image proxy requests
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8j9x-fmww-qr37
OAuth2 client_secret stored in plain text in the database
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9
Inviting excessive long email addresses to a calendar event makes the server unresponsive
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r936-8gwm-w452
Password of talk conversations can be bruteforced
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7rf8-pqmj-rpqv
Rate limiter not working reliable when Memcached is installed
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xmhp-7vr4-hp63
Security updates 1.5.5 and 1.4.15 released
https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15
Security update 1.6.4 released
https://roundcube.net/news/2023/10/16/security-update-1.6.4-released