End-of-Day report
Timeframe: Montag 23-10-2023 18:00 - Dienstag 24-10-2023 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
News
Log in With... Feature Allows Full Online Account Takeover for Millions
Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires - and other online services likely have the same problems.
https://www.darkreading.com/remote-workforce/oauth-log-in-full-account-takeover-millions
Hostile Takeover: Malicious Ads via Facebook
Criminals hijack business accounts on Facebook and run their own advertising campaigns in someone elses name and at the expense of those affected.
https://www.gdatasoftware.com/blog/2023/10/37814-meta-hijacked-malicious-ads
Stealer for PIX payment system, new Lumar stealer and Rhysida ransomware
In this report, we share our latest crimeware findings: GoPIX targeting PIX payment system; Lumar stealing files and passwords; Rhysida ransomware supporting old Windows.
https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/
Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar
The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts.
https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html
Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
We were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued our interest.
https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
Best Practices for Writing Quality Vulnerability Reports
How to write great vulnerability reports? If you-re a security consultant, penetration tester or a bug bounty hunter, these tips are for you!
https://itnext.io/best-practices-for-writing-quality-vulnerability-reports-119882422a27
Kriminelle verbreiten falsche Ryanair-Telefonnummern
Vorsicht, wenn Sie im Internet nach einer Telefonnummer von Ryanair suchen. Kriminelle stellen Webseiten mit falschen Nummern ins Netz. Wenn Sie bei der falschen Ryanair-Servicehotline anrufen, stehlen Kriminelle Ihnen sensible Daten und Geld.
https://www.watchlist-internet.at/news/kriminelle-verbreiten-falsche-ryanair-telefonnummern/
LOLBin mit WorkFolders.exe unter Windows
Die legitime Windows-Anwendung WorkFolders.exe lässt sich verwenden, um andere .exe-Programme im Windows-Ordner System32 oder im aktuellen Ordner zu starten. Dies ermöglicht Malware sogenannte LOLBin-Angriffe, bei der legitime Betriebssystemdateien zur Ausführung von Schadprogrammen missbraucht werden.
https://www.borncity.com/blog/2023/10/24/lolbin-mit-workfolders-exe-unter-windows/
The Great CVSS Bake Off: Testing How CVSS v4 Performs Versus v3
The highly anticipated Common Vulnerability Scoring System (CVSS) version 4 is planned to be released on October 31st by the Forum of Incident Response and Security Teams (FIRST).
https://orca.security/resources/blog/cvss-version-4-versus-version-3/
Vulnerabilities
VMware warns admins of public exploit for vRealize RCE flaw
VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs).
https://www.bleepingcomputer.com/news/security/vmware-warns-admins-of-public-exploit-for-vrealize-rce-flaw/
Viele Systeme längst kompromittiert: Cisco stellt Patches für IOS XE bereit
Durch Schwachstellen in der Betriebssoftware IOS XE sind weltweit Zehntausende von Cisco-Geräten infiltriert worden. Jetzt gibt es erste Patches.
https://www.golem.de/news/viele-systeme-laengst-kompromittiert-cisco-stellt-patches-fuer-ios-xe-bereit-2310-178749.html
CVE-2023-33466 - Exploiting Healthcare Servers with Polyglot Files
Orthanc is an open source software to manage, exchange and visualize medical imaging data. In versions < 1.12.0, it is affected by an arbitrary file overwrite vulnerability (CVE-2023-33466) that might allow an authenticated attacker to obtain RCE on the system.
https://www.shielder.com/blog/2023/10/cve-2023-33466-exploiting-healthcare-servers-with-polyglot-files/
Proxy: Squid-Entwickler dichten teils kritische Lecks in Version 6.4 ab
Mit Squid 6.4 haben die Entwickler eine um vier Sicherheitslücken bereinigte Version des Proxy-Servers vorgelegt. Es klaffen jedoch weitere Lücken darin.
https://www.heise.de/news/Proxy-Squid-6-4-schliesst-teils-kritische-Sicherheitsluecken-9342384.html
Lücke in LiteSpeed-Cache-Plug-in gefährdet 4 Millionen WordPress-Websites
Angreifer können WordPress-Websites mit Schadcode-Skripten verseuchen. Ein Sicherheitsupdate repariert das LiteSpeed-Cache-Plug-in.
https://www.heise.de/news/Luecke-in-LiteSpeed-Cache-Plug-in-gefaehrdet-4-Millionen-WordPress-Websites-9342838.html
Sicherheitsupdates: Firefox-Browser anfällig für Clickjacking-Attacken
Mozilla hat in aktuellen Versionen von Firefox und Firefox ESR mehrere Sicherheitsprobleme gelöst.
https://www.heise.de/news/Sicherheitsupdates-Firefox-Browser-anfaellig-fuer-Clickjacking-Attacken-9342945.html
Security updates for Tuesday
Security updates have been issued by Debian (ceph and dbus), Fedora (cachelib, fb303, fbthrift, fizz, folly, matrix-synapse, mcrouter, mvfst, nats-server, nodejs18, proxygen, wangle, watchman, and wdt), Mageia (libcue), Oracle (18, grafana, kernel, nodejs, nodejs:16, nodejs:18, php, php:8.0, and tomcat), Red Hat (python27:2.7, python3, python39:3.9, python39-devel:3.9, toolbox, varnish, and varnish:6), SUSE (fwupdate, gcc13, icu73_2, netty, netty-tcnative, and xen), and Ubuntu [...]
https://lwn.net/Articles/948688/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Vulnerability in SICK Flexi Soft Gateway
https://psirt.bosch.com/security-advisories/bosch-sa-164691.html
Rockwell Automation Stratix 5800 and Stratix 5200
https://www.cisa.gov/news-events/ics-advisories/icsa-23-297-01