Tageszusammenfassung - 06.11.2023

End-of-Day report

Timeframe: Freitag 03-11-2023 18:00 - Montag 06-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter


Microsoft Exchange: Vier 0-day-Schwachstellen ermöglichen RCE-Angriffe und Datenklau

Die Zero Day Initiative (ZDI) von Trend Micro hat gerade vier ungepatchte Schwachstellen (sogenannte 0-Days) in Microsoft Exchange öffentlich gemacht. Diese wurden im September 2023 an Microsoft gemeldet und ZDI stuft die mit CVSS-Scores von 7.1 bis 7.5 ein. Microsofts Sicherheitsexperten sehen die Schwachstellen als nicht so schwerwiegend an, dass diese ein sofortiges Handeln erfordern (zur Ausnutzung sei eine Authentifizierung erforderlich). Die Microsoft-Entwickler haben Fixes "für später" angekündigt. Daher ist die Zero Day Initiative an die Öffentlichkeit gegangen, da man trotzdem die Möglichkeit für RCE-Angriffe und Datenklau sieht.


Sicherheitsupdates QNAP: Angreifer können eigene Befehle auf NAS ausführen

Wichtige Sicherheitspatches sichern Netzwerkspeicher von QNAP ab. Unbefugte können Daten einsehen.


E-Mail von A1 mit einer Rechnung über - 289,60 ist Fake

Aktuell werden A1-Kund:innen mit einer gefälschten Rechnung über - 289,60 verunsichert. Im E-Mail - angeblich von A1 - steht, dass der Rechnungsbetrag -heute- von Ihrem Bankkonto bzw. Ihrer Kreditkarte abgebucht wird. Im Anhang finden Sie die Infos zu Ihrer Rechnung. Wenn Sie auf den Anhang klicken, werden Sie auf eine gefälschte Login-Seite geführt. Kriminelle stehlen damit Ihre Zugangs- und Bankdaten!


Socks5Systemz proxy service infects 10,000 systems worldwide

A proxy botnet called Socks5Systemz has been infecting computers worldwide via the PrivateLoader and Amadey malware loaders, currently counting 10,000 infected devices.


Cybercrime service bypasses Android security to install malware

A new dropper-as-a-service (DaaS) named SecuriDropper has emerged, using a method that bypasses Android 13s Restricted Settings to install malware on devices and grant them access to the Accessibility Services.


TellYouThePass ransomware joins Apache ActiveMQ RCE attacks

Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution (RCE) vulnerability previously exploited as a zero-day.


Gaming-related cyberthreats in 2023: Minecrafters targeted the most

Gaming-related threat landscape in 2023: desktop and mobile malware disguised as Minecraft, Roblox and other popular games, and the most widespread phishing schemes.


Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel

Google is warning of multiple threat actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure. The tool, called Google Calendar RAT (GCR), employs Google Calendar Events for C2 using a Gmail account. It was first published to GitHub in June 2023.


Persistence - Windows Telemetry

Microsoft has introduced the compatibility telemetry in order to collect usage and performance data about Windows systems [...] TrustedSec has identified that it is feasible to abuse the Windows telemetry mechanism for persistence during red team operations if elevated access has been achieved.


What is Classiscam Scam-as-a-Service?

"The Classiscam scam-as-a-service operation has broadened its reach worldwide, targeting many more brands, countries, and industries, causing more significant financial damage than before,- touts Bleeping Computer. So just what is it? What is Classiscam? It-s a bird. It-s a plane. It-s - a pyramid? Classiscam is an enterprising criminal operation that uses a division of labor to organize low-level phishers into classified site scammers and takes a cut off the top.


Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518

As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment. We have confirmed that at least some of the exploits are targeting CVE-2023-22518.


Your printer is not your printer ! - Hacking Printers at Pwn2Own Part II

Based on our previous research, we also discovered Pre-auth RCE vulnerabilities((CVE-2023-0853-CVE-2023-0854) in other models of Canon printers. For the HP vulnerability, we had a collision with another team. In this section, we will detail the Canon and HP vulnerabilities we exploited during Pwn2own Toronto.


Provocative Facebook Ads Leveraged to Deliver NodeStealer Malware

Beware of Provocative Facebook Ads, Warn Researchers!


Scanning KBOM for Vulnerabilities with Trivy

Early this summer we announced the release of Kubernetes Bills of Material (KBOM) as part of Trivy, our all in one, popular open source security scanner. In the blog we discussed how KBOM is the manifest of all the important components that make up your Kubernetes cluster: Control plane components, Node Components, and Addons, including their versions and images.


Security updates 1.6.5 and 1.5.6 released

We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They all contain a fix for recently reported security vulnerability. [...] We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions.



Security updates for Monday

Security updates have been issued by Debian (chromium, open-vm-tools, openjdk-17, pmix, and trafficserver), Fedora (netconsd, podman, suricata, and usd), Oracle (.NET 6.0, .NET 7.0, binutils, ghostscript, java-1.8.0-openjdk, kernel, and squid), SUSE (apache-ivy, gstreamer-plugins-bad, kernel, nodejs12, opera, poppler, rubygem-activesupport-5.2, tiff, util-linux, and virtualbox), and Ubuntu (krb5).


IBM Security Bulletins