End-of-Day report
Timeframe: Montag 06-11-2023 18:00 - Dienstag 07-11-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
Microsoft Authenticator now blocks suspicious MFA alerts by default
Microsoft has introduced a new protective feature in the Authenticator app to block notifications that appear suspicious based on specific checks performed during the account login stage.
https://www.bleepingcomputer.com/news/security/microsoft-authenticator-now-blocks-suspicious-mfa-alerts-by-default/
MacBook Pro M3 läuft unter Umständen noch mit altem macOS - Update nicht möglich
Auf manchem neuen MacBook Pro M3 läuft eine Version von macOS 13, die gravierende Sicherheitslücken hat. Sie lässt sich offenbar nicht direkt updaten.
https://www.heise.de/-9355709
New GootLoader Malware Variant Evades Detection and Spreads Rapidly
A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.
https://thehackernews.com/2023/11/new-gootloader-malware-variant-evades.html
Phishing With Dynamite
Token stealing is getting harder. Instead, stealing whole logged-in browser instances may be an easier and more generic approach. One attack, known as -browser-in-the-middle- (BitM), makes it possible to virtually place a user in front of our browser and request them to log in for us. One of my old work buddies referred to it as -phishing with dynamite- after using it on a few social engineering campaigns.
https://posts.specterops.io/phishing-with-dynamite-7d33d8fac038
D0nut encrypt me, I have a wife and no backups
Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP-s) deployed by four ransomware families recently observed during NCC Group-s incident response engagements. In case you missed it, last time we analysed an Incident Response engagement involving BlackCat Ransomware. In this instalment, we take a deeper dive into the D0nut extortion group.
https://research.nccgroup.com/2023/11/06/d0nut-encrypt-me-i-have-a-wife-and-no-backups/
Post-exploiting a compromised etcd - Full control over the cluster and its nodes
When considering the attack surface in Kubernetes, we consider certain unauthenticated components, such as the kube-apiserver and kubelet, as well as leaked tokens or credentials that grant access to certain cluster features, and non-hardened containers that may provide access to the underlying host. However, when discussing etcd, it is often perceived solely as an information storage element within the cluster from which secrets can be extracted. However, etcd is much more than that.
https://research.nccgroup.com/2023/11/07/post-exploiting-a-compromised-etcd-full-control-over-the-cluster-and-its-nodes/
Generating IDA Type Information Libraries from Windows Type Libraries
In this quick-post, well explore how to convert Windows type libraries (TLB) into IDA type information libraries (TIL).
https://blog.nviso.eu/2023/11/07/generating-ida-type-information-libraries-from-windows-type-libraries/
CISA Published When to Issue VEX Information
This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers.
https://www.cisa.gov/news-events/alerts/2023/11/06/cisa-published-when-issue-vex-information
Vulnerabilities
Sicherheitsupdates: Zwei kritische Lücken bedrohen Monitoringtool Veeam One
Die Entwickler haben in Veeam One unter anderem zwei kritische Schwachstellen geschlossen. Im schlimmsten Fall kann Schadcode auf Systeme gelangen.
https://www.heise.de/-9354987
WS_FTP Server Arbitrary File Upload CVE-2023-42659 - (CRITICAL)
In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application.
https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023
Security updates for Tuesday
Security updates have been issued by Debian (trapperkeeper-webserver-jetty9-clojure), Mageia (libsndfile, packages, thunderbird, and x11-server), Oracle (.NET 6.0), SUSE (kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, redis, and squid), and Ubuntu (gsl).
https://lwn.net/Articles/950523/
37 Vulnerabilities Patched in Android With November 2023 Security Updates
The Android security updates released this week resolve 37 vulnerabilities, including a critical information disclosure bug.
https://www.securityweek.com/37-vulnerabilities-patched-in-android-with-november-2023-security-updates/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
GE MiCOM S1 Agile
https://www.cisa.gov/news-events/ics-advisories/icsa-23-311-23
Zyxel security advisory for improper privilege management vulnerability in GS1900 series switches
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-improper-privilege-management-vulnerability-in-gs1900-series-switches