End-of-Day report
Timeframe: Freitag 17-11-2023 18:00 - Montag 20-11-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Exploit for CrushFTP RCE chain released, patch now
A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords.
https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-chain-released-patch-now/
Lumma Stealer malware now uses trigonometry to evade detection
The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software - the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox.
https://www.bleepingcomputer.com/news/security/lumma-stealer-malware-now-uses-trigonometry-to-evade-detection/
Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits
The Kinsing malware operator is actively exploiting the CVE-2023-46604 critical vulnerability in the Apache ActiveMQ open-source message broker to compromise Linux systems.
https://www.bleepingcomputer.com/news/security/kinsing-malware-exploits-apache-activemq-rce-to-plant-rootkits/
New "Agent Tesla" Variant: Unusual "ZPAQ" Archive Format Delivers Malware
A new variant of Agent Tesla uses the uncommon compression format ZPAQ to steal information from approximately 40 web browsers and various email clients. But what exactly is this file compression format? What advantage does it provide to threat actors? And why it is assumed that the version of Agent Tesla is -new-?
https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq
DarkGate and PikaBot Malware Resurrect QakBots Tactics in New Phishing Attacks
Phishing campaigns delivering malware families such as DarkGate and PikaBot are following the same tactics previously used in attacks leveraging the now-defunct QakBot trojan. -These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery,- Cofense said in a report [...]
https://thehackernews.com/2023/11/darkgate-and-pikabot-malware-resurrect.html
NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors
Threat actors are targeting the education, government and business services sectors with a remote access trojan called NetSupport RAT. "The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns," VMware Carbon Black researchers said in a report [...]
https://thehackernews.com/2023/11/netsupport-rat-infections-on-rise.html
Visual Studio Code Security: Markdown Vulnerabilities in Third-Party Extensions
In this blog post, we present code vulnerabilities we found in GitLens (27 million installs) and GitHub Pull Requests and Issues (15 million installs). We will first give some background on VSCode internals, then explain the vulnerable portions of the code, and finally show how these issues can be prevented.
https://www.sonarsource.com/blog/vscode-security-markdown-vulnerabilities-in-extensions/
Xen Project Releases Version 4.18 with New Security, Performance, and Architecture Enhancements for AI/ML Applications
The Xen Project, an open source hypervisor hosted at the Linux Foundation, today announced the release of Xen Project Hypervisor 4.18 with architecture enhancements for High Performance Computing (HPC) and Machine Learning (ML) applications, as well as higher security and performance features.
https://xenproject.org/2023/11/20/xen-project-releases-version-4-18-with-new-security-performance-and-architecture-enhancements-for-ai-ml-applications/
How to perform basic digital forensics on a Windows computer
Digital forensics is a critical field in the investigation of cybercrimes, data breaches, and other digital incidents. As our reliance on computers continues to grow, the need for skilled digital forensics professionals is more crucial than ever. In this guide, we will explore the basics of performing digital [...]
https://cybersecurity.att.com/blogs/security-essentials/how-to-perform-basic-digital-forensics-on-a-windows-computer
Vulnerabilities
Updates für Trellix ePolicy Orchestrator schließen Sicherheitslücken
Trellix, Nachfolger von McAfee und FireEye, hat den ePolicy Orchestrator aktualisiert. Das Update schließt etwa eine hochriskant eingestufte Schwachstelle.
https://www.heise.de/-9533816.html
Synology schließt kritische Firmware-Lücke in Überwachungskameras
Angreifer können eigenen Code auf Überwachungskameras von Synology ausführen.
https://www.heise.de/-9534072.html
Security updates for Monday
Security updates have been issued by Debian (freerdp2, lwip, netty, and wireshark), Fedora (dotnet6.0, dotnet7.0, golang, gst-devtools, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, podman-tui, prometheus-podman-exporter, python-gstreamer1, syncthing, and tigervnc), Mageia (chromium-browser-stable, haproxy, and tigervnc), Oracle (curl, ghostscript, microcode_ctl, nghttp2, open-vm-tools, samba, and squid), SUSE (gcc13, postgresql14, and yt-dlp), and Ubuntu (iniparser).
https://lwn.net/Articles/951999/
Schwachstelle CVE-2023-46302 in Apache Submarine
In Apache Submarine gibt es eine kritische Remote Code Execution-Schwachstelle CVE-2023-46302. Die Schwachstelle rührt von einer Sicherheitslücke in snakeyaml (CVE-2022-1471) her und gefährdet Apache Submarine-Benutzer, da Angreifer beliebigen Code auf verwundbaren Systemen ausführen können.
https://www.borncity.com/blog/2023/11/20/schwachstelle-cve-2023-46302-in-apache-submarine/
Multiple vulnerabilities in LuxCal Web Calendar
https://jvn.jp/en/jp/JVN15005948/
WAGO: Improper privilege management in web-based management
https://cert.vde.com/de/advisories/VDE-2023-015/
[R1] Security Center Version 6.2.1 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2023-42
CVE-2022-41713 An issue was discovered in deep-object-diff version 1.1.0
https://www.ibm.com/support/pages/node/7079403
CVE-2022-24434 An issue was discovered in the npm package dicer
https://www.ibm.com/support/pages/node/7079460
Vulnerability in d3-color affects IBM UrbanCode Velocity . WS-2022-0322
https://www.ibm.com/support/pages/node/7079484
IBM Storage Protect for Virtual Environments is vulnerable to arbitrary code execution, sensitive information disclosure, and denial of service due to CVEs in Apache Velocity, Apache Jena, and XStream (woodstox)
https://www.ibm.com/support/pages/node/7079947
QRadar Suite Software includes components with multiple known vulnerabilities
https://www.ibm.com/support/pages/node/7080058
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Go HTML injection vulnerabilitiy [CVE-2023-24539]
https://www.ibm.com/support/pages/node/7080057
IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to libcurl and cURL. (CVE-2023-38546, CVE-2023-38545)
https://www.ibm.com/support/pages/node/7076344