End-of-Day report
Timeframe: Montag 13-11-2023 18:00 - Dienstag 14-11-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
News
CISA warns of actively exploited Juniper pre-auth RCE exploit chain
CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild.
https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-juniper-pre-auth-rce-exploit-chain/
ChatGPT, Bard und andere: KI-Systeme ermöglichen Ausleiten von Daten
Durch gezielte Abfragen lassen sich private und geschützte Daten aus KI-Systemen ausleiten. Die Angriffe zeigen ein prinzipielles Problem.
https://www.golem.de/news/chatgpt-bard-und-andere-ki-systeme-ermoeglichen-ausleiten-von-daten-2311-179405.html
Noticing command and control channels by reviewing DNS protocols, (Mon, Nov 13th)
Malicious software pieces installed in computers call home. Some of them can be noticed because they perform DNS lookup and some of them initiates connection without DNS lookup. For this last option, this is abnormal and can be noticed by any Network Detection and Response (NDR) tool that reviews the network traffic by at least two weeks. Most companies do not have money to afford a NDR, so I'm going to show you today an interesting tip that have worked for me to notice APT calling home when they perform DNS lookup.
https://isc.sans.edu/diary/rss/30396
Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain
The algorithms are used by TETRA - short for the Terrestrial Trunked Radio protocol - and they are operated by governments, law enforcement, military and emergency services organizations in Europe, the UK, and other countries.
https://go.theregister.com/feed/www.theregister.com/2023/11/14/tetra_encryption_algorithms_open_sourced/
Novel backdoor persists even after critical Confluence vulnerability is patched
Got a Confluence server? Listen up. Malware said to have wide-ranging capabilities. A new backdoor was this week found implanted in the environments of organizations to exploit the recently disclosed critical vulnerability in Atlassian Confluence.
https://go.theregister.com/feed/www.theregister.com/2023/11/14/novel_backdoor_persists_confluence/
Nothing new, still broken, insecure by default since then: Pythons e-mail libraries and certificate verification
Today, basically every e-mail provider supports TLS for their services and programmatically accessing e-mail services with Python code using TLS-wrapped clients is common. Python offers three libraries shipped with a standard installation for handling e-mail transfer. These modules are smtplib, imaplib, and poplib. While Python programming is usually straightforward, using these Python libraries require passing a magic parameter in the right way to use secure communication.
https://www.pentagrid.ch/en/blog/python-mail-libraries-certificate-verification/
LockBit ransomware group assemble strike team to breach banks, law firms and governments.
[...] I thought it would be good to break down what is happening and how they-re doing it, since LockBit are breaching some of the world-s largest organisations - many of whom have incredibly large security budgets. Through data allowing the tracking of ransomware operators, it has been possible to track individual targets. Recently, it has become clear they have been targeting a vulnerability in Citrix Netscaler, called CitrixBleed.
https://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee
CVE Half-Day Watcher
CVE Half-Day Watcher is a security tool designed to highlight the risk of early exposure of Common Vulnerabilities and Exposures (CVEs) in the public domain. It leverages the National Vulnerability Database (NVD) API to identify recently published CVEs with GitHub references before an official patch is released. By doing so, CVE Half-Day Watcher aims to underscore the window of opportunity for attackers to "harvest" this information and develop exploits.
https://github.com/Aqua-Nautilus/CVE-Half-Day-Watcher
Vorsicht vor Jobangeboten per SMS oder WhatsApp
Unerwartet erhalten Sie eine Nachricht von einer Personalvermittlungsagentur: Ihnen wird ein Job angeboten. Die Bezahlung ist gut und die Arbeitszeiten sind flexibel. Es geht darum, Hotels und Touristenattraktionen zu bewerten. Bei Interesse sollten Sie dem Arbeitgeber eine WhatsApp-Nachricht schicken. Ignorieren Sie dieses Jobangebot, es handelt sich um Betrug!
https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-sms-oder-whatsapp/
Ddostf DDoS Bot Malware Attacking MySQL Servers
The ASEC analysis team has recently discovered that the Ddostf DDoS bot is being installed on vulnerable MySQL servers. Ddostf is a DDoS bot capable of conducting Distributed Denial of Service (DDoS) attacks on specific targets and was first identified around 2016.
https://asec.ahnlab.com/en/58878/
A Closer Look at ChatGPTs Role in Automated Malware Creation
This blog entry explores the effectiveness of ChatGPTs safety measures, the potential for AI technologies to be misused by criminal actors, and the limitations of current AI models.
https://www.trendmicro.com/en_us/research/23/k/a-closer-look-at-chatgpt-s-role-in-automated-malware-creation.html
Malicious Abrax666 AI Chatbot Exposed as Potential Scam
As of now, based on the information regarding the sale of the Abrax666 AI Chatbot, cybersecurity researchers are of the opinion that the chatbot is most likely a scam.
https://www.hackread.com/abrax666-ai-chatbot-exposed-as-potential-scam/
Vulnerabilities
Siemens Security Advisories
Siemens has released 14 new and 18 updated Security Advisories.
https://www.siemens.com/global/en/products/services/cert.html?d=2023-11#SiemensSecurityAdvisories
Xen Security Advisory CVE-2023-46835 / XSA-445 - x86/AMD: mismatch in IOMMU quarantine page table levels
A device in quarantine mode can access data from previous quarantine page table usages, possibly leaking data used by previous domains that also had the device assigned.
https://xenbits.xen.org/xsa/advisory-445.html
Xen Security Advisory CVE-2023-46836 / XSA-446 - x86: BTC/SRSO fixes not fully effective
An attacker in a PV guest might be able to infer the contents of memory belonging to other guests.
https://xenbits.xen.org/xsa/advisory-446.html
SAP Security Patch Day -November2023
On 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. Further, there were 3 updates to previously released Security Notes.
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
Security updates for Tuesday
Security updates have been issued by Debian (postgresql-11, postgresql-13, and postgresql-15), Fedora (chromium, optipng, and radare2), Scientific Linux (plexus-archiver and python), Slackware (tigervnc), SUSE (apache2, containerized-data-importer, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql, postgresql15, postgresql16, postgresql12, postgresql13, python-Django1, squashfs, and xterm), and Ubuntu (firefox and memcached).
https://lwn.net/Articles/951311/
ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric
Siemens and Schneider Electric-s Patch Tuesday advisories for November 2023 address 90 vulnerabilities affecting their products.
https://www.securityweek.com/ics-patch-tuesday-90-vulnerabilities-addressed-by-siemens-and-schneider-electric/
Mattermost security updates 9.1.3 / 9.0.4 / 8.1.6 (ESR) / 7.8.15 (ESR) released
The security update is available for Mattermost dot releases 9.1.3, 9.0.4, 8.1.6 (Extended Support Release), and 7.8.15 (Extended Support Release), for both Team Edition and Enterprise Edition.
https://mattermost.com/blog/mattermost-security-updates-9-1-3-9-0-4-8-1-6-esr-7-8-15-esr-released/
TYPO3-CORE-SA-2023-007: By-passing Cross-Site Scripting Protection in HTML Sanitizer
https://typo3.org/security/advisory/typo3-core-sa-2023-007
TYPO3-CORE-SA-2023-006: Weak Authentication in Session Handling
https://typo3.org/security/advisory/typo3-core-sa-2023-006
TYPO3-CORE-SA-2023-005: Information Disclosure in Install Tool
https://typo3.org/security/advisory/typo3-core-sa-2023-005
IBM Integration Bus is vulnerable to multiple CVEs due to Apache Tomcat.
https://www.ibm.com/support/pages/node/7072626
IBM QRadar Network Packet Capture includes components with multiple known vulnerabilities (CVE-2023-2828, CVE-2023-24329, CVE-2022-4839)
https://www.ibm.com/support/pages/node/7073360
IBM Security Guardium is affected by multiple OS level vulnerabilities
https://www.ibm.com/support/pages/node/7073592
AVEVA Operations Control Logger
https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-01
Rockwell Automation SIS Workstation and ISaGRAF Workbench
https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-02