End-of-Day report
Timeframe: Donnerstag 16-11-2023 18:00 - Freitag 17-11-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
MySQL servers targeted by Ddostf DDoS-as-a-Service botnet
MySQL servers are being targeted by the Ddostf malware botnet to enslave them for a DDoS-as-a-Service platform whose firepower is rented to other cybercriminals.
https://www.bleepingcomputer.com/news/security/mysql-servers-targeted-by-ddostf-ddos-as-a-service-botnet/
Beyond -n: Optimizing tcpdump performance, (Thu, Nov 16th)
If you ever had to acquire packets from a network, you probably used tcpdump. Other tools (Wireshark, dumpcap, snort...) can do the same thing, but none is as widely used as tcpdump. tcpdump is simple to use, fast, and universally available (and free!).
https://isc.sans.edu/diary/rss/30408
Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware
Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER.
https://thehackernews.com/2023/11/beware-malicious-google-ads-trick.html
Understanding the Phobos affiliate structure and activity
Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants
https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims
Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target-s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts.
https://www.hackread.com/alphv-blackcat-ransomware-gang-google-ads/
CISA Releases The Mitigation Guide: Healthcare and Public Health (HPH) Sector
Today, CISA released the Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector.
https://www.cisa.gov/news-events/alerts/2023/11/17/cisa-releases-mitigation-guide-healthcare-and-public-health-hph-sector
Vulnerabilities
Bildbearbeitung: Angreifer können Gimp Schadcode unterjubeln
Die freie Open-Source-Bildbearbeitung Gimp ist in Version 2.10.36 erschienen. Sie schließt Sicherheitslücken, die Codeschmuggel erlauben.
https://www.heise.de/news/Bildbearbeitung-Angreifer-koennen-Gimp-Schadcode-unterjubeln-9531394.html
FortiNet flickt schwere Sicherheitslücken in FortiOS und anderen Produkten
Neben FortiOS und FortiClient sind auch FortiSIEM, FortiWLM und weitere von zum Teil kritischen Security-Fehlern betroffen. Admins sollten patchen.
https://www.heise.de/news/FortiNet-flickt-schwere-Sicherheitsluecken-in-FortiOS-und-anderen-Produkten-9529075.html
Anonymisierendes Linux: Tails 5.19.1 behebt Tor-Lücke, Audit-Ergebnisse sind da
Ein offenbar aus der Ferne ausnutzbarer Bug in Tor führte zum neuerlichen Update. Die Ergebnisse der kürzlichen Sicherheitsprüfung hingegen sind positiv.
https://www.heise.de/news/Anonymisierendes-Linux-Tails-5-19-1-behebt-Tor-Luecke-Audit-Ergebnisse-sind-da-9532403.html
Security updates for Friday
Security updates have been issued by Debian (webkit2gtk), Fedora (microcode_ctl, pack, and tigervnc), Slackware (gimp), SUSE (frr, gcc13, go1.20, go1.20-openssl, go1.21, go1.21-openssl, libnbd, libxml2, python-Pillow, python-urllib3, and xen), and Ubuntu (intel-microcode and openvpn).
https://lwn.net/Articles/951801/
Over a Dozen Exploitable Vulnerabilities Found in AI/ML Tools
Since August 2023, members of the Huntr bug bounty platform for artificial intelligence (AI) and machine learning (ML) have uncovered over a dozen vulnerabilities exposing AI/ML models to system takeover and sensitive information theft.
Identified in tools with hundreds of thousands or millions of downloads per month, such as H2O-3, MLflow, and Ray, these issues potentially impact the entire AI/ML supply chain
https://www.securityweek.com/over-a-dozen-exploitable-vulnerabilities-found-in-ai-ml-tools/
[R1] Nessus Agent Version 10.4.4 Fixes One Vulnerability
An arbitrary file write vulnerability exists where an authenticated attacker with privileges on the managing application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition.
https://www.tenable.com/security/tns-2023-41
[R1] Nessus Version 10.6.3 Fixes One Vulnerability
An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition.
https://www.tenable.com/security/tns-2023-40
[R1] Nessus Version 10.5.7 Fixes One Vulnerability
An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition.
https://www.tenable.com/security/tns-2023-39
Juniper Releases Security Advisory for Juniper Secure Analytics
Juniper released a security advisory to address multiple vulnerabilities affecting Juniper Secure Analytics. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the Juniper advisory JSA74298 and apply the necessary updates.
https://www.cisa.gov/news-events/alerts/2023/11/17/juniper-releases-security-advisory-juniper-secure-analytics
ZDI-23-1716: Luxion KeyShot Viewer KSP File Parsing Memory Corruption Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-1716/
SVD-2023-1107: November 2023 Splunk Universal Forwarder Third-Party Updates
https://advisory.splunk.com//advisories/SVD-2023-1107
SVD-2023-1106: November 2023 Third-Party Package Updates in Splunk Enterprise
https://advisory.splunk.com//advisories/SVD-2023-1106
SVD-2023-1105: November 2023 Third Party Package updates in Splunk Enterprise
https://advisory.splunk.com//advisories/SVD-2023-1105
SVD-2023-1104: Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing
https://advisory.splunk.com//advisories/SVD-2023-1104
SVD-2023-1103: Cross-site Scripting (XSS) on -Show Syntax Highlighted- View in Search Page
https://advisory.splunk.com//advisories/SVD-2023-1103
SVD-2023-1102: Third Party Package Update in Splunk Add-on for Google Cloud Platform
https://advisory.splunk.com//advisories/SVD-2023-1102
SVD-2023-1101: Third Party Package Update in Splunk Add-on for Amazon Web Services
https://advisory.splunk.com//advisories/SVD-2023-1101
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Node.js vulnerabilities
https://www.ibm.com/support/pages/node/7077733
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Apache Ivy information disclosure vulnerabilitiy [CVE-2023-46751]
https://www.ibm.com/support/pages/node/7077734
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603]
https://www.ibm.com/support/pages/node/7077736
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to snappy-java information disclosure vulnerabilitiy [CVE-2023-43642]
https://www.ibm.com/support/pages/node/7077735
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603]
https://www.ibm.com/support/pages/node/7077739
IBM QRadar SIEM contains multiple vulnerabilities
https://www.ibm.com/support/pages/node/7070736
IBM Storage Fusion may be vulnerable to Unauthorized requests (SSRF), Improper path traversal, via k8s.io\/apimachinery, k8s.io\/apiserver (CVE-2022-3172, CVE-2022-3162)
https://www.ibm.com/support/pages/node/7077936
InfoSphere Information Server is vulnerable due to improper access control (CVE-2023-40363)
https://www.ibm.com/support/pages/node/7070742
IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26049)
https://www.ibm.com/support/pages/node/7070740
IBM Storage Fusion may be vulnerable to Denial of Service via use of golang.org\/x\/net, x\/crypto, and x\/text (CVE-2022-30633, CVE-2022-27664, CVE-2022-28131, CVE-2022-41721, CVE-2021-43565, CVE-2022-27191, CVE-2022-32149)
https://www.ibm.com/support/pages/node/7077942
IBM Planning Analytics is affected by vulnerabilities in IBM Java, IBM Websphere Application Server Liberty and IBM GSKit
https://www.ibm.com/support/pages/node/7070140
IBM Storage Fusion may be vulnerable to Denial of Service via use of openshift\/machine-api-operator, openshift\/machine-config-operator (CVE-2020-28851, CVE-2020-28852, CVE-2021-44716)
https://www.ibm.com/support/pages/node/7077938
IBM Storage Fusion may be vulnerable to Injection, Regular Expression Denial of Service (ReDoS), and Arbitrary Code Execution and via use of postcss, semver, babel-traverse (CVE-2023-45133, CVE-2022-25883, CVE-2023-44270)
https://www.ibm.com/support/pages/node/7077947
Java SE issues disclosed in the Oracle October 2023 Critical Patch Update plus CVE-2023-5676
https://www.ibm.com/support/pages/node/7078433
IBM Security SOAR is using a component with multiple known vulnerabilities
https://www.ibm.com/support/pages/node/7063706
IBM MQ Operator and Queue manager container images are vulnerable to libcurl vulnerabilities (CVE-2023-38546, CVE-2023-38545)
https://www.ibm.com/support/pages/node/7077530
IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578)
https://www.ibm.com/support/pages/node/6957156
Watson Machine Learning Accelerator on Cloud Pak for Data is affected by multiple vulnerabilities in Grafana
https://www.ibm.com/support/pages/node/7078751
Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2023 CPU
https://www.ibm.com/support/pages/node/7078745
Red Lion Sixnet RTUs
https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01