End-of-Day report
Timeframe: Mittwoch 25-10-2023 18:00 - Freitag 27-10-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
News
StripedFly malware framework infects 1 million Windows, Linux hosts
A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time.
https://www.bleepingcomputer.com/news/security/stripedfly-malware-framework-infects-1-million-windows-linux-hosts/
How to catch a wild triangle
How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.
https://securelist.com/operation-triangulation-catching-wild-triangle/110916/
Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction
Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for organizations across multiple industries. Octo Tempest leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. With their extensive range of tactics, techniques, and procedures (TTPs), the threat actor, from our perspective, is one of the most dangerous financial criminal groups.
https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
iLeakage: Safari unzureichend vor Spectre-Seitenkanalangriff geschützt
Sicherheitsforscher sagen, dass Apples Browser nicht ausreichend vor CPU-Seitenkanalangriffen schützt. Angreifer können Daten lesen. Es gibt Schutzmaßnahmen.
https://www.heise.de/-9344659
CISA, HHS Release Cybersecurity Healthcare Toolkit
CISA and the HHS have released resources for healthcare and public health organizations to improve their security.
https://www.securityweek.com/cisa-hhs-release-cybersecurity-healthcare-toolkit/
CVE-2023-4632: Local Privilege Escalation in Lenovo System Updater
The Lenovo System Update application is designed to allow non-administrators to check for and apply updates to their workstation. During the process of checking for updates, the privileged Lenovo Update application attempts to utilize C:\SSClientCommon\HelloLevel_9_58_00.xml, which doesn-t exist on the filesystem [...] This vulnerability has been fixed in the latest version of the Lenovo System Updater application.
https://posts.specterops.io/cve-2023-4632-local-privilege-escalation-in-lenovo-system-updater-2762e9667120
ESET APT Activity Report Q2-Q3 2023
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 and Q3 2023
https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-q3-2023/
Most common Active Directory misconfigurations and default settings that put your organization at risk
Introduction In this blog post, we will go over the most recurring (and critical) findings that we discovered when auditing the Active Directory environment of different companies, explain why these configurations can be dangerous, how they can be abused by attackers and how they can be mitigated or remediated.
https://blog.nviso.eu/2023/10/26/most-common-active-directory-misconfigurations-and-default-settings-that-put-your-organization-at-risk/
CVE-2023-4966 Helps Usher In A Baker-s Dozen Of Citrix Tags To Further Help Organizations Mitigate Harm
Citrixs NetScaler ADC and NetScaler Gateway have, once more, been found to have multiple vulnerabilities, tracked as CVE-2023-4966 and CVE-2023-4967 [...] As of this post-s publish time, GreyNoise has observed just under seventy IP addresses attempting to exploit this vulnerability.
https://www.greynoise.io/blog/cve-2023-4966-helps-usher-in-a-bakers-dozen-of-citrix-tags-to-further-help-organizations-mitigate-harm
CISA Announces Launch of Logging Made Easy
Today, CISA announces the launch of a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free.
https://www.cisa.gov/news-events/alerts/2023/10/27/cisa-announces-launch-logging-made-easy
Rhysida Ransomware Technical Analysis
Technical analysis of Rhysida Ransomware family that emerged in the Q2 of 2023
https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/
Vulnerabilities
CISA Releases Nine Industrial Control Systems Advisories
ICSA-23-299-01 Dingtian DT-R002 ICSA-23-299-02 Centralite Pearl Thermostat ICSA-23-299-03 Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium ICSA-23-299-04 Rockwell Automation Arena ICSA-23-299-05 Rockwell Automation FactoryTalk View Site Edition ICSA-23-299-06 Rockwell Automation FactoryTalk Services Platform ICSA-23-299-07 Sielco PolyEco FM Transmitter ICSA-23-299-08 Sielco Radio Link and Analog FM Transmitters ICSMA-23-194-01 BD Alaris System with Guardrails Suite MX (Update A)
https://www.cisa.gov/news-events/alerts/2023/10/26/cisa-releases-nine-industrial-control-systems-advisories
Cisco Update: HTTP/2 Rapid Reset Attack Affecting Cisco Products: October 2023
Version 1.5: Updated the lists of vulnerable products and products confirmed not vulnerable.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ
Cisco Update: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Version 2.3: Updated summary to indicate additional fixed releases. Updated fixed release table and SMU table. Updated recommendations to add link to technical FAQ.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
Juniper Update: 2023-10 Security Bulletin: Junos OS: jkdsd crash due to multiple telemetry requests (CVE-2023-44188)
2023-10-25: Added note that SRX Series devices are not vulnerable to this issue
https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos-OS-jkdsd-crash-due-to-multiple-telemetry-requests-CVE-2023-44188
HPE Aruba Networking Product Security Advisory
HPE Aruba Networking has released updates to ClearPass Policy Manager that address multiple security vulnerabilities.
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt
Sicherheitsupdates: Jenkins-Plug-ins als Einfallstor für Angreifer
Jenkins kann bei der Softwareentwicklung helfen. Einige Plug-ins weisen Sicherheitslücken auf. Ein paar Updates stehen noch aus.
https://www.heise.de/-9344802
Sicherheitslücken im X.Org X-Server und Xwayland erlauben Rechteausweitung
Aktualisierte Fassung des X.Org X-Servers und von Xwayland schließen Sicherheitslücken. Die erlauben die Rechteausweitung oder einen Denial-of-Service.
https://www.heise.de/-9345096
Rechteausweitung durch Lücke in HP Print and Scan Doctor
Aktualisierte Software korrigiert einen Fehler im Support-Tool HP Print and Scan Doctor, der die Ausweitung der Rechte im System ermöglicht.
https://www.heise.de/-9345192
Konfigurationsprogramm von BIG-IP-Appliances als Sprungbrett für Angreifer
F5 hat wichtige Sicherheitsupdates für BIG-IP-Produkte veröffentlicht. Angreifer können Geräte kompromittieren.
https://www.heise.de/-9346460
Lücken in Nessus Network Monitor ermöglichen Rechteerhöhung
Eine neue Version vom Nessus Network Monitor schließt Sicherheitslücken, durch die Angreifer etwa ihre Rechte erhöhen können.
https://www.heise.de/news/-9346392
VMWare Tools: Schwachstellen erlauben Rechteausweitung
Die VMware Tools unter Linux, Windows und macOS erlauben Angreifern unter bestimmten Umständen, unbefugt Kommandos abzusetzen. Noch sind nicht alle Updates da.
https://www.heise.de/-9346863
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023)
Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week.
https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-october-16-2023-to-october-22-2023/
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr and xorg-server), Fedora (firefox, mbedtls, nodejs18, nodejs20, and xen), Gentoo (libinput, unifi, and USBView), Mageia (python-nltk), Oracle (linux-firmware), Red Hat (nginx:1.22), SUSE (chromium, firefox, java-11-openjdk, jetty-minimal, nghttp2, nodejs18, webkit2gtk3, and zlib), and Ubuntu (linux, linux-lowlatency, linux-oracle-5.15, vim, and xorg-server, xwayland).
https://lwn.net/Articles/948930/
Security updates for Friday
Security updates have been issued by Debian (chromium and firefox-esr), Fedora (firefox, redis, samba, and xen), Oracle (python39:3.9, python39-devel:3.9), Slackware (mozilla and xorg), and SUSE (libnbd, open-vm-tools, python, sox, vorbis-tools, and zchunk).
https://lwn.net/Articles/949057/
Critical Mirth Connect Vulnerability Could Expose Sensitive Healthcare Data
Mirth Connect versions prior to 4.4.1 are vulnerable to CVE-2023-43208, a bypass for an RCE vulnerability.
https://www.securityweek.com/critical-mirth-connect-vulnerability-could-expose-sensitive-healthcare-data/
Apple Releases Security Advisories for Multiple Products
Apple has released security updates to address vulnerabilities in multiple products.
https://www.cisa.gov/news-events/alerts/2023/10/26/apple-releases-security-advisories-multiple-products
Schwachstelle CVE-2023-5363 in OpenSSL
In der Software OpenSSL wurde eine Schwachstelle CVE-2023-5363 gefunden. Die Initialisierung der Verschlüsselungsschlüssellänge und des Initialisierungsvektors in OpenSLL ist fehlerhaft. Für die Linux-Distributionen Debian und Ubuntu ist ein Fix aber bereits verfügbar.
https://www.borncity.com/blog/2023/10/27/schwachstelle-cve-2023-5363-in-openssl/
ServiceNow fixt stillschweigend Bug aus 2015 der Datenlecks ermöglichte
Das US-Unternehmen ServiceNow Inc. bietet eine Cloud-Plattform an, in deren Software wohl seit 2015 ein Bug klaffte, über den Dritte ohne Authentifizierung Informationen abziehen konnten. Nachdem ein Sicherheitsforscher auf die Schwachstelle gestoßen ist, wurde diese stillschweigend in der Cloud-Lösung beseitigt.
https://www.borncity.com/blog/2023/10/27/servicenow-fixt-stillschweigend-bug-aus-2015-der-datenlecks-ermglichte/
9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution
Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.
https://blog.talosintelligence.com/vulnerability-roundup-oct-25-2023/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
VMSA-2023-0024
https://www.vmware.com/security/advisories/VMSA-2023-0024.html
SonicWall SSO Agent - Directory Services Connector MSI Local Privilege Escalation Vulnerability
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0016
SonicWall NetExtender Windows Client DLL Search Order Hijacking Vulnerability
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0017