End-of-Day report
Timeframe: Freitag 10-11-2023 18:00 - Montag 13-11-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
In a first, cryptographic keys protecting SSH connections stolen in new attack
An error as small as a single flipped memory bit is all it takes to expose a private key.
https://arstechnica.com/?p=1983026
Hackers breach healthcare orgs via ScreenConnect remote access
Security researchers are warning that hackers are targeting multiple healthcare organizations in the U.S. by abusing the ScreenConnect remote access tool.
https://www.bleepingcomputer.com/news/security/hackers-breach-healthcare-orgs-via-screenconnect-remote-access/
New Ransomware Group Emerges with Hives Source Code and Infrastructure
The threat actors behind a new ransomware group called Hunters International have acquired the source code and infrastructure from the now-dismantled Hive operation to kick-start its own efforts in the threat landscape. "It appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters [...]
https://thehackernews.com/2023/11/new-ransomware-group-emerges-with-hives.html
Abusing Microsoft Access -Linked Table- Feature to Perform NTLM Forced Authentication Attacks
1. Microsoft Access (part of the Office suite) has a -linking to remote SQL Server tables- feature.
2. This feature can be abused by attackers to automatically leak the Windows user-s NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80.
3. The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well
4. This technique allows the attacker to bypass existing Firewall rules designed to block NTLM information stealing initiated by external attacks.
https://research.checkpoint.com/2023/abusing-microsoft-access-linked-table-feature-to-perform-ntlm-forced-authentication-attacks/
Bericht: IT-Sicherheit in Gesundheitsämtern vernachlässigt
Fehlendes Know-How, knappes Budget und unsichere Software. Ein Bericht schildert gravierende Sicherheitslücken in Gesundheitsämtern.
https://www.heise.de/-9404608.html
Don-t throw a hissy fit; defend against Medusa
Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP-s) deployed by four ransomware families recently observed during NCC Group-s incident response engagements.
https://research.nccgroup.com/2023/11/13/dont-throw-a-hissy-fit-defend-against-medusa/
Cyber Threat Intelligence: Den Gegnern auf der Spur
Durch das Sammeln, Analysieren und Kontextualisieren von Informationen über mögliche Cyber-Bedrohungen, einschließlich der fortschrittlichsten, bietet Threat Intelligence eine wichtige Methode zur Identifizierung, Bewertung und Minderung von Cyber-Risiken
https://www.welivesecurity.com/de/business-security/cyber-threat-intelligence-den-gegnern-auf-der-spur/
CISA Adds Six Known Exploited Vulnerabilities to Catalog
CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
https://www.cisa.gov/news-events/alerts/2023/11/13/cisa-adds-six-known-exploited-vulnerabilities-catalog
Ransomware tracker: The latest figures [November 2023]
Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current
Ransomware attacks across several key sectors dipped significantly in October, breaking a streak that has gone on for much of 2023. Ransomware gangs posted 243 victims to their extortion sites in October - a sharp decrease from the 455 [...]
https://therecord.media/ransomware-tracker-the-latest-figures
RCE-Exploit für Wyze Cam v3 veröffentlicht (Nov. 2023)
Kurzer Hinweis für Besitzer von Indoor-Kameras des Anbieters Wyze. Deren Modell Wyze Com v3 enthält wohl Schwachstellen, über die Dritte auf die Kameradaten zugreifen können. Inzwischen ist ein RCE-Exploit für die Wyze Cam v3 veröffentlicht worden.
https://www.borncity.com/blog/2023/11/11/rce-exploit-fr-wyze-cam-v3-verffentlicht-nov-2023/
Facebook Fake-Benachrichtigungen "Seiten wegen Verletzung der Gemeinschaftsstandard gesperrt"
Auf Facebook scheint eine kriminelle Masche über den Messenger zu laufen, bei denen die Empfänger angeblich von Facebook-Meta-Mitarbeitern informiert werden, dass die Seiten wegen Verletzungen der Gemeinschaftsstandards o.ä. gesperrt worden seien. Es kommt ein Link mit Aufforderung zum Entsperren. Das ist aber Fake und ein Phishing-Versuch, um die Zugangsdaten abzufischen.
https://www.borncity.com/blog/2023/11/12/facebook-fake-benachrichtigungen-seiten-wegen-verletzung-der-gemeinschaftsstandard-gesperrt/
OracleIV DDoS Botnet Malware Targets Docker Engine API Instances
OracleIV is not a supply chain attack, it highlights the ongoing threat of misconfigured Docker Engine API deployments.
https://www.hackread.com/oracleiv-ddos-botnet-malware-docker-engine-api-instances/
ACSC and CISA Release Business Continuity in a Box
Today, the Australian Signals Directorate-s Australian Cyber Security Centre (ASDs ACSC) and CISA released Business Continuity in a Box. Business Continuity in a Box, developed by ACSC with contributions from CISA, assists organizations with swiftly and securely standing up critical business functions during or following a cyber incident.
https://www.cisa.gov/news-events/alerts/2023/11/13/acsc-and-cisa-release-business-continuity-box
Vulnerabilities
Local Privliege Escalation in Check Point Endpoint Security Remediation Service
This vulnerability allows local attackers to escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security.
https://support.checkpoint.com/results/sk/sk181597
Security updates for Monday
Security updates have been issued by Debian (audiofile and ffmpeg), Fedora (keylime, python-pillow, and tigervnc), Mageia (quictls and vorbis-tools), Oracle (grub2), Red Hat (galera, mariadb, plexus-archiver, python, squid, and squid34), and SUSE (clamav, kernel, mupdf, postgresql14, tomcat, tor, and vlc).
https://lwn.net/Articles/951237/
CVE-2023-5950 Rapid7 Velociraptor Reflected XSS
This advisory covers a specific issue identified in Velociraptor and disclosed by a security code review. Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability.
https://www.rapid7.com/blog/post/2023/11/10/cve-2023-5950-rapid7-velociraptor-reflected-xss/
Ivanti EPMM CVE-2023-39335/39337
As part of our ongoing strengthening of the security of our products we have discovered two new vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core. We are reporting these vulnerabilities as CVE-2023-39335 and CVE-2023-39337.
https://www.ivanti.com/blog/ivanti-epmm-cve-2023-39335-39337
Mutiple Vulnerabilties Affecting Watson Machine Learning Accelerator on Cloud Pak for Data version
https://www.ibm.com/support/pages/node/7071340