Tageszusammenfassung - 24.10.2023

End-of-Day report

Timeframe: Montag 23-10-2023 18:00 - Dienstag 24-10-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer

News

Log in With... Feature Allows Full Online Account Takeover for Millions

Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires - and other online services likely have the same problems.

https://www.darkreading.com/remote-workforce/oauth-log-in-full-account-takeover-millions

Hostile Takeover: Malicious Ads via Facebook

Criminals hijack business accounts on Facebook and run their own advertising campaigns in someone elses name and at the expense of those affected.

https://www.gdatasoftware.com/blog/2023/10/37814-meta-hijacked-malicious-ads

Stealer for PIX payment system, new Lumar stealer and Rhysida ransomware

In this report, we share our latest crimeware findings: GoPIX targeting PIX payment system; Lumar stealing files and passwords; Rhysida ransomware supporting old Windows.

https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/

Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar

The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts.

https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html

Citrix Bleed: Leaking Session Tokens with CVE-2023-4966

We were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued our interest.

https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966

Best Practices for Writing Quality Vulnerability Reports

How to write great vulnerability reports? If you-re a security consultant, penetration tester or a bug bounty hunter, these tips are for you!

https://itnext.io/best-practices-for-writing-quality-vulnerability-reports-119882422a27

Kriminelle verbreiten falsche Ryanair-Telefonnummern

Vorsicht, wenn Sie im Internet nach einer Telefonnummer von Ryanair suchen. Kriminelle stellen Webseiten mit falschen Nummern ins Netz. Wenn Sie bei der falschen Ryanair-Servicehotline anrufen, stehlen Kriminelle Ihnen sensible Daten und Geld.

https://www.watchlist-internet.at/news/kriminelle-verbreiten-falsche-ryanair-telefonnummern/

LOLBin mit WorkFolders.exe unter Windows

Die legitime Windows-Anwendung WorkFolders.exe lässt sich verwenden, um andere .exe-Programme im Windows-Ordner System32 oder im aktuellen Ordner zu starten. Dies ermöglicht Malware sogenannte LOLBin-Angriffe, bei der legitime Betriebssystemdateien zur Ausführung von Schadprogrammen missbraucht werden.

https://www.borncity.com/blog/2023/10/24/lolbin-mit-workfolders-exe-unter-windows/

The Great CVSS Bake Off: Testing How CVSS v4 Performs Versus v3

The highly anticipated Common Vulnerability Scoring System (CVSS) version 4 is planned to be released on October 31st by the Forum of Incident Response and Security Teams (FIRST).

https://orca.security/resources/blog/cvss-version-4-versus-version-3/

Vulnerabilities

VMware warns admins of public exploit for vRealize RCE flaw

VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs).

https://www.bleepingcomputer.com/news/security/vmware-warns-admins-of-public-exploit-for-vrealize-rce-flaw/

Viele Systeme längst kompromittiert: Cisco stellt Patches für IOS XE bereit

Durch Schwachstellen in der Betriebssoftware IOS XE sind weltweit Zehntausende von Cisco-Geräten infiltriert worden. Jetzt gibt es erste Patches.

https://www.golem.de/news/viele-systeme-laengst-kompromittiert-cisco-stellt-patches-fuer-ios-xe-bereit-2310-178749.html

CVE-2023-33466 - Exploiting Healthcare Servers with Polyglot Files

Orthanc is an open source software to manage, exchange and visualize medical imaging data. In versions < 1.12.0, it is affected by an arbitrary file overwrite vulnerability (CVE-2023-33466) that might allow an authenticated attacker to obtain RCE on the system.

https://www.shielder.com/blog/2023/10/cve-2023-33466-exploiting-healthcare-servers-with-polyglot-files/

Proxy: Squid-Entwickler dichten teils kritische Lecks in Version 6.4 ab

Mit Squid 6.4 haben die Entwickler eine um vier Sicherheitslücken bereinigte Version des Proxy-Servers vorgelegt. Es klaffen jedoch weitere Lücken darin.

https://www.heise.de/news/Proxy-Squid-6-4-schliesst-teils-kritische-Sicherheitsluecken-9342384.html

Lücke in LiteSpeed-Cache-Plug-in gefährdet 4 Millionen WordPress-Websites

Angreifer können WordPress-Websites mit Schadcode-Skripten verseuchen. Ein Sicherheitsupdate repariert das LiteSpeed-Cache-Plug-in.

https://www.heise.de/news/Luecke-in-LiteSpeed-Cache-Plug-in-gefaehrdet-4-Millionen-WordPress-Websites-9342838.html

Sicherheitsupdates: Firefox-Browser anfällig für Clickjacking-Attacken

Mozilla hat in aktuellen Versionen von Firefox und Firefox ESR mehrere Sicherheitsprobleme gelöst.

https://www.heise.de/news/Sicherheitsupdates-Firefox-Browser-anfaellig-fuer-Clickjacking-Attacken-9342945.html

Security updates for Tuesday

Security updates have been issued by Debian (ceph and dbus), Fedora (cachelib, fb303, fbthrift, fizz, folly, matrix-synapse, mcrouter, mvfst, nats-server, nodejs18, proxygen, wangle, watchman, and wdt), Mageia (libcue), Oracle (18, grafana, kernel, nodejs, nodejs:16, nodejs:18, php, php:8.0, and tomcat), Red Hat (python27:2.7, python3, python39:3.9, python39-devel:3.9, toolbox, varnish, and varnish:6), SUSE (fwupdate, gcc13, icu73_2, netty, netty-tcnative, and xen), and Ubuntu [...]

https://lwn.net/Articles/948688/