Tageszusammenfassung - 07.11.2023

End-of-Day report

Timeframe: Montag 06-11-2023 18:00 - Dienstag 07-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

Microsoft Authenticator now blocks suspicious MFA alerts by default

Microsoft has introduced a new protective feature in the Authenticator app to block notifications that appear suspicious based on specific checks performed during the account login stage.

https://www.bleepingcomputer.com/news/security/microsoft-authenticator-now-blocks-suspicious-mfa-alerts-by-default/


MacBook Pro M3 läuft unter Umständen noch mit altem macOS - Update nicht möglich

Auf manchem neuen MacBook Pro M3 läuft eine Version von macOS 13, die gravierende Sicherheitslücken hat. Sie lässt sich offenbar nicht direkt updaten.

https://www.heise.de/-9355709


New GootLoader Malware Variant Evades Detection and Spreads Rapidly

A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.

https://thehackernews.com/2023/11/new-gootloader-malware-variant-evades.html


Phishing With Dynamite

Token stealing is getting harder. Instead, stealing whole logged-in browser instances may be an easier and more generic approach. One attack, known as -browser-in-the-middle- (BitM), makes it possible to virtually place a user in front of our browser and request them to log in for us. One of my old work buddies referred to it as -phishing with dynamite- after using it on a few social engineering campaigns.

https://posts.specterops.io/phishing-with-dynamite-7d33d8fac038


D0nut encrypt me, I have a wife and no backups

Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP-s) deployed by four ransomware families recently observed during NCC Group-s incident response engagements. In case you missed it, last time we analysed an Incident Response engagement involving BlackCat Ransomware. In this instalment, we take a deeper dive into the D0nut extortion group.

https://research.nccgroup.com/2023/11/06/d0nut-encrypt-me-i-have-a-wife-and-no-backups/


Post-exploiting a compromised etcd - Full control over the cluster and its nodes

When considering the attack surface in Kubernetes, we consider certain unauthenticated components, such as the kube-apiserver and kubelet, as well as leaked tokens or credentials that grant access to certain cluster features, and non-hardened containers that may provide access to the underlying host. However, when discussing etcd, it is often perceived solely as an information storage element within the cluster from which secrets can be extracted. However, etcd is much more than that.

https://research.nccgroup.com/2023/11/07/post-exploiting-a-compromised-etcd-full-control-over-the-cluster-and-its-nodes/


Generating IDA Type Information Libraries from Windows Type Libraries

In this quick-post, well explore how to convert Windows type libraries (TLB) into IDA type information libraries (TIL).

https://blog.nviso.eu/2023/11/07/generating-ida-type-information-libraries-from-windows-type-libraries/


CISA Published When to Issue VEX Information

This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers.

https://www.cisa.gov/news-events/alerts/2023/11/06/cisa-published-when-issue-vex-information

Vulnerabilities

Sicherheitsupdates: Zwei kritische Lücken bedrohen Monitoringtool Veeam One

Die Entwickler haben in Veeam One unter anderem zwei kritische Schwachstellen geschlossen. Im schlimmsten Fall kann Schadcode auf Systeme gelangen.

https://www.heise.de/-9354987


WS_FTP Server Arbitrary File Upload CVE-2023-42659 - (CRITICAL)

In WS_FTP Server versions prior to 8.7.6 and 8.8.4, an unrestricted file upload flaw has been identified. An authenticated Ad Hoc Transfer user has the ability to craft an API call which allows them to upload a file to a specified location on the underlying operating system hosting the WS_FTP Server application.

https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023


Security updates for Tuesday

Security updates have been issued by Debian (trapperkeeper-webserver-jetty9-clojure), Mageia (libsndfile, packages, thunderbird, and x11-server), Oracle (.NET 6.0), SUSE (kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, redis, and squid), and Ubuntu (gsl).

https://lwn.net/Articles/950523/


37 Vulnerabilities Patched in Android With November 2023 Security Updates

The Android security updates released this week resolve 37 vulnerabilities, including a critical information disclosure bug.

https://www.securityweek.com/37-vulnerabilities-patched-in-android-with-november-2023-security-updates/


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


GE MiCOM S1 Agile

https://www.cisa.gov/news-events/ics-advisories/icsa-23-311-23


Zyxel security advisory for improper privilege management vulnerability in GS1900 series switches

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-improper-privilege-management-vulnerability-in-gs1900-series-switches