End-of-Day report
Timeframe: Freitag 03-11-2023 18:00 - Montag 06-11-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Microsoft Exchange: Vier 0-day-Schwachstellen ermöglichen RCE-Angriffe und Datenklau
Die Zero Day Initiative (ZDI) von Trend Micro hat gerade vier ungepatchte Schwachstellen (sogenannte 0-Days) in Microsoft Exchange öffentlich gemacht. Diese wurden im September 2023 an Microsoft gemeldet und ZDI stuft die mit CVSS-Scores von 7.1 bis 7.5 ein. Microsofts Sicherheitsexperten sehen die Schwachstellen als nicht so schwerwiegend an, dass diese ein sofortiges Handeln erfordern (zur Ausnutzung sei eine Authentifizierung erforderlich). Die Microsoft-Entwickler haben Fixes "für später" angekündigt. Daher ist die Zero Day Initiative an die Öffentlichkeit gegangen, da man trotzdem die Möglichkeit für RCE-Angriffe und Datenklau sieht.
https://www.borncity.com/blog/2023/11/04/microsoft-exchange-vier-0-day-schwachstellen-ermglichen-rce-angriffe-und-datenklau/
Sicherheitsupdates QNAP: Angreifer können eigene Befehle auf NAS ausführen
Wichtige Sicherheitspatches sichern Netzwerkspeicher von QNAP ab. Unbefugte können Daten einsehen.
https://www.heise.de/-9354109.html
E-Mail von A1 mit einer Rechnung über - 289,60 ist Fake
Aktuell werden A1-Kund:innen mit einer gefälschten Rechnung über - 289,60 verunsichert. Im E-Mail - angeblich von A1 - steht, dass der Rechnungsbetrag -heute- von Ihrem Bankkonto bzw. Ihrer Kreditkarte abgebucht wird. Im Anhang finden Sie die Infos zu Ihrer Rechnung. Wenn Sie auf den Anhang klicken, werden Sie auf eine gefälschte Login-Seite geführt. Kriminelle stehlen damit Ihre Zugangs- und Bankdaten!
https://www.watchlist-internet.at/news/e-mail-von-a1-mit-einer-rechnung-ueber-eur-28960-ist-fake/
Socks5Systemz proxy service infects 10,000 systems worldwide
A proxy botnet called Socks5Systemz has been infecting computers worldwide via the PrivateLoader and Amadey malware loaders, currently counting 10,000 infected devices.
https://www.bleepingcomputer.com/news/security/socks5systemz-proxy-service-infects-10-000-systems-worldwide/
Cybercrime service bypasses Android security to install malware
A new dropper-as-a-service (DaaS) named SecuriDropper has emerged, using a method that bypasses Android 13s Restricted Settings to install malware on devices and grant them access to the Accessibility Services.
https://www.bleepingcomputer.com/news/security/cybercrime-service-bypasses-android-security-to-install-malware/
TellYouThePass ransomware joins Apache ActiveMQ RCE attacks
Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution (RCE) vulnerability previously exploited as a zero-day.
https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-joins-apache-activemq-rce-attacks/
Gaming-related cyberthreats in 2023: Minecrafters targeted the most
Gaming-related threat landscape in 2023: desktop and mobile malware disguised as Minecraft, Roblox and other popular games, and the most widespread phishing schemes.
https://securelist.com/game-related-threat-report-2023/110960/
Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel
Google is warning of multiple threat actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure. The tool, called Google Calendar RAT (GCR), employs Google Calendar Events for C2 using a Gmail account. It was first published to GitHub in June 2023.
https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.html
Persistence - Windows Telemetry
Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems [...] TrustedSec has identified that it is feasible to abuse the Windows telemetry mechanism for persistence during red team operations if elevated access has been achieved.
https://pentestlab.blog/2023/11/06/persistence-windows-telemetry/
What is Classiscam Scam-as-a-Service?
"The Classiscam scam-as-a-service operation has broadened its reach worldwide, targeting many more brands, countries, and industries, causing more significant financial damage than before,- touts Bleeping Computer. So just what is it? What is Classiscam? It-s a bird. It-s a plane. It-s - a pyramid? Classiscam is an enterprising criminal operation that uses a division of labor to organize low-level phishers into classified site scammers and takes a cut off the top.
https://www.tripwire.com/state-of-security/what-classiscam-scam-service
Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518
As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at least some of the exploits are targeting CVE-2023-22518.
https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitation-of-atlassian-confluence-cve-2023-22518/
Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II
Based on our previous research, we also discovered Pre-auth RCE vulnerabilities((CVE-2023-0853-CVE-2023-0854) in other models of Canon printers. For the HP vulnerability, we had a collision with another team. In this section, we will detail the Canon and HP vulnerabilities we exploited during Pwn2own Toronto.
https://devco.re/blog/2023/11/06/your-printer-is-not-your-printer-hacking-printers-pwn2own-part2-en/
Provocative Facebook Ads Leveraged to Deliver NodeStealer Malware
Beware of Provocative Facebook Ads, Warn Researchers!
https://www.hackread.com/provocative-facebook-ads-nodestealer-malware/
Scanning KBOM for Vulnerabilities with Trivy
Early this summer we announced the release of Kubernetes Bills of Material (KBOM) as part of Trivy, our all in one, popular open source security scanner. In the blog we discussed how KBOM is the manifest of all the important components that make up your Kubernetes cluster: Control plane components, Node Components, and Addons, including their versions and images.
https://blog.aquasec.com/scanning-kbom-for-vulnerabilities-with-trivy
Security updates 1.6.5 and 1.5.6 released
We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They all contain a fix for recently reported security vulnerability. [...] We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.
https://roundcube.net/news/2023/11/05/security-updates-1.6.5-and-1.5.6
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (chromium, open-vm-tools, openjdk-17, pmix, and trafficserver), Fedora (netconsd, podman, suricata, and usd), Oracle (.NET 6.0, .NET 7.0, binutils, ghostscript, java-1.8.0-openjdk, kernel, and squid), SUSE (apache-ivy, gstreamer-plugins-bad, kernel, nodejs12, opera, poppler, rubygem-activesupport-5.2, tiff, util-linux, and virtualbox), and Ubuntu (krb5).
https://lwn.net/Articles/950413/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/