Tageszusammenfassung - 16.10.2023

End-of-Day report

Timeframe: Freitag 13-10-2023 18:00 - Montag 16-10-2023 18:00 Handler: Robert Waldner Co-Handler: n/a

News

DarkGate malware spreads through compromised Skype accounts

Between July and September, DarkGate malware attacks have used compromised Skype accounts to infect targets through messages containing VBA loader script attachments.

https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-through-compromised-skype-accounts/


Scanning evasion issue in Cisco Secure Email Gateway

Cisco Secure Email Gateway provided by Cisco Systems may fail to detect specially crafted files.

https://jvn.jp/en/jp/JVN58574030/


Security review for Microsoft Edge version 118

We are pleased to announce the security review for Microsoft Edge, version 118! We have reviewed the new settings in Microsoft Edge version 118 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 117 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit.

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-review-for-microsoft-edge-version-118/ba-p/3955123


SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls

The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure.

https://thehackernews.com/2023/10/spynote-beware-of-this-android-trojan.html


Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems."The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 [..]

https://thehackernews.com/2023/10/pro-russian-hackers-exploiting-recent.html


Signal says there is no evidence rumored zero-day bug is real

As this is an ongoing investigation, and the mitigation is to simply disable the Link Previews feature, users may want to turn this setting off for the time being until its fully confirmed not to be real.

https://www.bleepingcomputer.com/news/security/signal-says-there-is-no-evidence-rumored-zero-day-bug-is-real/


-EtherHiding- - Hiding Web2 Malicious Code in Web3 Smart Contracts

Over the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake -browser updates-. While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they-ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down.

https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16


Blocking Dedicated Attacking Hosts Is Not Enough: In-Depth Analysis of a Worldwide Linux XorDDoS Campaign

We provide a comprehensive analysis of the XorDDoS Trojans attacking behaviors. Subsequently, we unveil the intricate network infrastructure orchestrating the campaigns botnet. Lastly, we introduce the advanced signatures derived from the key attacking hotspots, including hostnames, URLs and IP addresses. These signatures effectively identified over 1,000 XorDDoS C2 traffic sessions in August 2023 alone.

https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-delivers-malware/


WS_FTP: Ransomware-Attacken auf ungepatchte Server

In WS_FTP hat Hersteller Progress kürzlich teils kritische Sicherheitslücken geschlossen. Inzwischen sieht Sophos Ransomware-Angriffe darauf.

https://www.heise.de/news/WS-FTP-Ransomware-Attacken-auf-ungepatchte-Server-9335146.html


Milesight Industrial Router Vulnerability Possibly Exploited in Attacks

A vulnerability affecting Milesight industrial routers, tracked as CVE-2023-4326, may have been exploited in attacks.

https://www.securityweek.com/milesight-industrial-router-vulnerability-possibly-exploited-in-attacks/


Sie verkaufen auf Willhaben? Diese Betrugsmasche sollten Sie kennen!

Auf Willhaben und anderen Verkaufsplattformen begegnen Ihnen sicherlich auch mal Betrüger:innen. Besonders vorsichtig sollten Sie sein, wenn Sie zum ersten Mal verkaufen und Sie den Ablauf eines Verkaufs noch nicht so gut kennen. Wir zeigen Ihnen eine gängige Betrugsmasche und wie Sie sich davor schützen!

https://www.watchlist-internet.at/news/sie-verkaufen-auf-willhaben-diese-betrugsmasche-sollten-sie-kennen/


curl-Schwachstelle durch Microsoft ungepatcht

In der Bibliothek und im Tool curl gibt es in älteren Versionen eine Schwachstelle, die vom Projekt am 11. Oktober 2023 mit der Version 8.4.0 geschlossen wurde. Microsoft liefert curl mit Windows aus, und es stellte sich die Frage, ob curl zum Patchday, 10. Oktober 2023, ebenfalls aktualisiert wurde. Mein Stand ist, dass in Windows auch nach den Oktober 2023-Updates die veraltete curl-Version enthalten ist.

https://www.borncity.com/blog/2023/10/14/curl-schwachstelle-durch-microsoft-ungepatcht/


Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability

Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.

https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/


Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a

Vulnerabilities

Exim bugs

Fixed in 4.96.2/4.97: - CVE-2023-42117: Improper Neutralization of Special Elements - CVE-2023-42119: dnsdb Out-Of-Bounds Read libspf2 Integer Underflow: - CVE-2023-42118: Mitigation: Do not use the `spf` condition in your ACL

https://exim.org/static/doc/security/CVE-2023-zdi.txt


Wordpress: Übernahme durch Lücke in Royal Elementor Addons and Template

Im Wordpress-Plug-in Royal Elementor Addons and Template missbrauchen Cyberkriminelle eine kritische Lücke. Sie nutzen sie zur Übernahme von Instanzen.

https://www.heise.de/news/Wordpress-Uebernahme-durch-Luecke-in-Royal-Elementor-Addons-and-Template-9335615.html


Samba: Neue Versionen beheben mehrere Sicherheitslücken

Durch verschiedene Programmierfehler konnten Angreifer auf geheime Informationen bis hin zum Kerberos-TGT-Passwort zugreifen. Aktualisierungen stehen bereit.

https://www.heise.de/news/Samba-Neue-Versionen-beheben-mehrere-Sicherheitsluecken-9335169.html


Security updates for Monday

Security updates have been issued by Debian (batik, poppler, and tomcat9), Fedora (chromium, composer, curl, emacs, ghostscript, libwebp, libXpm, netatalk, nghttp2, python-asgiref, python-django, and webkitgtk), Mageia (curl and libX11), Oracle (bind, busybox, firefox, and kernel), Red Hat (curl, dotnet6.0, dotnet7.0, and nginx), SUSE (chromium, cni, cni-plugins, grub2, netatalk, opensc, opera, and wireshark), and Ubuntu (iperf3).

https://lwn.net/Articles/947891/


Vulnerabilities in Video Station

Three vulnerabilities have been reported to affect Video Station: - CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities - CVE-2023-34977: Cross-site scripting (XSS) vulnerability If exploited, these vulnerabilities could allow authenticated users to inject malicious code via a network.

https://www.qnap.com/en-us/security-advisory/QSA-23-52


Vulnerabilities in QTS, QuTS hero, and QuTScloud

Two vulnerabilities have been reported to affect several QNAP operating system versions: - CVE-2023-32970: If exploited, the null pointer dereference vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network. - CVE-2023-32973: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network.

https://www.qnap.com/en-us/security-advisory/QSA-23-41


Vulnerability in QTS, QuTS hero, and QuTScloud

A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read and expose sensitive data via a network.

https://www.qnap.com/en-us/security-advisory/QSA-23-42


Vulnerability in Container Station

An OS command injection vulnerability has been reported to affect Container Station. If exploited, the vulnerability could allow authenticated administrators to execute arbitrary commands via a network.

https://www.qnap.com/en-us/security-advisory/QSA-23-44


web2py vulnerable to OS command injection

https://jvn.jp/en/jp/JVN80476432/


cURL and libcurl Vulnerability Affecting Cisco Products: October 2023

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-curl-libcurl-D9ds39cV


Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z


FortiSandbox - XSS on delete endpoint

https://fortiguard.fortinet.com/psirt/FG-IR-23-311


FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint

https://fortiguard.fortinet.com/psirt/FG-IR-23-215


FortiSandbox - Arbitrary file delete

https://fortiguard.fortinet.com/psirt/FG-IR-23-280


Red Lion Europe: Vulnerability allows access to non-critical information in mbCONNECT24 and mymbCONNECT24

https://cert.vde.com/de/advisories/VDE-2023-041/


Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual

https://cert.vde.com/de/advisories/VDE-2023-043/


2023-10 Security Bulletin: Junos OS and Junos OS Evolved: High CPU load due to specific NETCONF command (CVE-2023-44184)

https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-High-CPU-load-due-to-specific-NETCONF-command-CVE-2023-44184


IBM Security Verify Access Appliance has multiple security vulnerabilities

https://www.ibm.com/support/pages/node/7009735


Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products.

https://www.ibm.com/support/pages/node/6953617


Security Vulnerabilities fixed in IBM Security Verify Access (CVE-2022-40303)

https://www.ibm.com/support/pages/node/7009741


IBM Security Verify Access OpenID Connect Provider container has fixed multiple vulnerabilities (CVE-2022-43868, CVE-2022-43739, CVE-2022-43740)

https://www.ibm.com/support/pages/node/7028513


IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433)

https://www.ibm.com/support/pages/node/7012613


Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946)

https://www.ibm.com/support/pages/node/7014261


IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342)

https://www.ibm.com/support/pages/node/7014259


Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9.

https://www.ibm.com/support/pages/node/7052776


Multiple Vulnerabilities of Apache HttpClient have affected IBM Jazz Reporting Service

https://www.ibm.com/support/pages/node/7052811


Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Jazz Reporting Services.

https://www.ibm.com/support/pages/node/7052810


IBM Jazz Reporting Service is vulnerable to a denial of service (CVE-2023-35116)

https://www.ibm.com/support/pages/node/7052809


Vulnerability with snappy-java affect IBM Cloud Object Storage Systems (Oc2023v1)

https://www.ibm.com/support/pages/node/7052829


Require strict cookies for image proxy requests

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8j9x-fmww-qr37


OAuth2 client_secret stored in plain text in the database

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9


Inviting excessive long email addresses to a calendar event makes the server unresponsive

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r936-8gwm-w452


Password of talk conversations can be bruteforced

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7rf8-pqmj-rpqv


Rate limiter not working reliable when Memcached is installed

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xmhp-7vr4-hp63


Security updates 1.5.5 and 1.4.15 released

https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15


Security update 1.6.4 released

https://roundcube.net/news/2023/10/16/security-update-1.6.4-released