End-of-Day report
Timeframe: Donnerstag 09-11-2023 18:00 - Freitag 10-11-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
Ducktail fashion week
The Ducktail malware, designed to hijack Facebook business and ads accounts, sends marketing professionals fake ads for jobs with major clothing manufacturers.
https://securelist.com/ducktail-fashion-week/111017/
Routers Targeted for Gafgyt Botnet [Guest Diary], (Thu, Nov 9th)
The threat actor attempts to add my honeypot into a botnet so the threat actor can carry out DDoS attacks. The vulnerabilities used for the attack were default credentials and CVE-2017-17215. To prevent these attacks, make sure systems are patched and using strong credentials.
https://isc.sans.edu/diary/rss/30390
Malware: Mehr als 600 Millionen Downloads 2023 in Google Play
Kaspersky hat in diesem Jahr bereits mehr als 600 Millionen Malware-Downloads aus dem Google-Play-Store gezählt. Der bleibt aber sicherste Paketquelle.
https://www.heise.de/news/Malware-Mehr-als-600-Millionen-Downloads-2023-in-Google-Play-9358247.html
Demystifying Cobalt Strike-s -make_token- Command
Cobalt Strike provides the make_token command to achieve a similar result to runas /netonly.
https://research.nccgroup.com/2023/11/10/demystifying-cobalt-strikes-make_token-command/
High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites
Clickbait articles are highlighted in this article. A jump in compromised sites exploiting CVE-2023-3169 stresses the danger of web-based threats.
https://unit42.paloaltonetworks.com/dangers-of-clickbait-sites/
Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518
We encountered the Cerber ransomware exploiting the Atlassian Confluence vulnerability CVE-2023-22518 in its operations.
https://www.trendmicro.com/en_us/research/23/k/cerber-ransomware-exploits-cve-2023-22518.html
Vulnerabilities
Security updates for Friday
Security updates have been issued by Fedora (community-mysql, matrix-synapse, and xorg-x11-server-Xwayland), Mageia (squid and vim), Oracle (dnsmasq, python3, squid, squid:4, and xorg-x11-server), Red Hat (fence-agents, insights-client, kernel, kpatch-patch, mariadb:10.5, python3, squid, squid:4, tigervnc, and xorg-x11-server), Scientific Linux (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, python-reportlab, python3, squid, thunderbird, and xorg-x11-server), [...]
https://lwn.net/Articles/951066/
Multiple Vulnerabilities in QuMagie
https://www.qnap.com/en-us/security-advisory/QSA-23-50
Vulnerability in QTS, QuTS hero, and QuTScloud
https://www.qnap.com/en-us/security-advisory/QSA-23-24
AIX is affected by a denial of service (CVE-2023-45167) and a security restrictions bypass (CVE-2023-40217) due to Python
https://www.ibm.com/support/pages/node/7068084
Multiple vulnerabilities in Eclipse Jetty affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow
https://www.ibm.com/support/pages/node/7070298
The IBM Engineering Lifecycle Engineering product using IBM SDK, Java Technology Edition Quarterly CPU - Apr 2023 - Includes Oracle April 2023 CPU plus CVE-2023-2597
https://www.ibm.com/support/pages/node/7070548
Multiple security vulnerabilities have been identified in IBM DB2 which is shipped with IBM Intelligent Operations Center.
https://www.ibm.com/support/pages/node/7070539
IBM QRadar SIEM contains multiple vulnerabilities
https://www.ibm.com/support/pages/node/7070736
Ivanti Secure Access Client security notifications
https://www.ivanti.com/blog/ivanti-secure-access-client-security-notifications