Tageszusammenfassung - 20.11.2023

End-of-Day report

Timeframe: Freitag 17-11-2023 18:00 - Montag 20-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Exploit for CrushFTP RCE chain released, patch now

A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords.

https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-chain-released-patch-now/


Lumma Stealer malware now uses trigonometry to evade detection

The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software - the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox.

https://www.bleepingcomputer.com/news/security/lumma-stealer-malware-now-uses-trigonometry-to-evade-detection/


Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits

The Kinsing malware operator is actively exploiting the CVE-2023-46604 critical vulnerability in the Apache ActiveMQ open-source message broker to compromise Linux systems.

https://www.bleepingcomputer.com/news/security/kinsing-malware-exploits-apache-activemq-rce-to-plant-rootkits/


New "Agent Tesla" Variant: Unusual "ZPAQ" Archive Format Delivers Malware

A new variant of Agent Tesla uses the uncommon compression format ZPAQ to steal information from approximately 40 web browsers and various email clients. But what exactly is this file compression format? What advantage does it provide to threat actors? And why it is assumed that the version of Agent Tesla is -new-?

https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq


DarkGate and PikaBot Malware Resurrect QakBots Tactics in New Phishing Attacks

Phishing campaigns delivering malware families such as DarkGate and PikaBot are following the same tactics previously used in attacks leveraging the now-defunct QakBot trojan. -These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery,- Cofense said in a report [...]

https://thehackernews.com/2023/11/darkgate-and-pikabot-malware-resurrect.html


NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors

Threat actors are targeting the education, government and business services sectors with a remote access trojan called NetSupport RAT. "The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns," VMware Carbon Black researchers said in a report [...]

https://thehackernews.com/2023/11/netsupport-rat-infections-on-rise.html


Visual Studio Code Security: Markdown Vulnerabilities in Third-Party Extensions

In this blog post, we present code vulnerabilities we found in GitLens (27 million installs) and GitHub Pull Requests and Issues (15 million installs). We will first give some background on VSCode internals, then explain the vulnerable portions of the code, and finally show how these issues can be prevented.

https://www.sonarsource.com/blog/vscode-security-markdown-vulnerabilities-in-extensions/


Xen Project Releases Version 4.18 with New Security, Performance, and Architecture Enhancements for AI/ML Applications

The Xen Project, an open source hypervisor hosted at the Linux Foundation, today announced the release of Xen Project Hypervisor 4.18 with architecture enhancements for High Performance Computing (HPC) and Machine Learning (ML) applications, as well as higher security and performance features.

https://xenproject.org/2023/11/20/xen-project-releases-version-4-18-with-new-security-performance-and-architecture-enhancements-for-ai-ml-applications/


How to perform basic digital forensics on a Windows computer

Digital forensics is a critical field in the investigation of cybercrimes, data breaches, and other digital incidents. As our reliance on computers continues to grow, the need for skilled digital forensics professionals is more crucial than ever. In this guide, we will explore the basics of performing digital [...]

https://cybersecurity.att.com/blogs/security-essentials/how-to-perform-basic-digital-forensics-on-a-windows-computer

Vulnerabilities

Updates für Trellix ePolicy Orchestrator schließen Sicherheitslücken

Trellix, Nachfolger von McAfee und FireEye, hat den ePolicy Orchestrator aktualisiert. Das Update schließt etwa eine hochriskant eingestufte Schwachstelle.

https://www.heise.de/-9533816.html


Synology schließt kritische Firmware-Lücke in Überwachungskameras

Angreifer können eigenen Code auf Überwachungskameras von Synology ausführen.

https://www.heise.de/-9534072.html


Security updates for Monday

Security updates have been issued by Debian (freerdp2, lwip, netty, and wireshark), Fedora (dotnet6.0, dotnet7.0, golang, gst-devtools, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, podman-tui, prometheus-podman-exporter, python-gstreamer1, syncthing, and tigervnc), Mageia (chromium-browser-stable, haproxy, and tigervnc), Oracle (curl, ghostscript, microcode_ctl, nghttp2, open-vm-tools, samba, and squid), SUSE (gcc13, postgresql14, and yt-dlp), and Ubuntu (iniparser).

https://lwn.net/Articles/951999/


Schwachstelle CVE-2023-46302 in Apache Submarine

In Apache Submarine gibt es eine kritische Remote Code Execution-Schwachstelle CVE-2023-46302. Die Schwachstelle rührt von einer Sicherheitslücke in snakeyaml (CVE-2022-1471) her und gefährdet Apache Submarine-Benutzer, da Angreifer beliebigen Code auf verwundbaren Systemen ausführen können.

https://www.borncity.com/blog/2023/11/20/schwachstelle-cve-2023-46302-in-apache-submarine/


Multiple vulnerabilities in LuxCal Web Calendar

https://jvn.jp/en/jp/JVN15005948/


WAGO: Improper privilege management in web-based management

https://cert.vde.com/de/advisories/VDE-2023-015/


[R1] Security Center Version 6.2.1 Fixes Multiple Vulnerabilities

https://www.tenable.com/security/tns-2023-42


CVE-2022-41713 An issue was discovered in deep-object-diff version 1.1.0

https://www.ibm.com/support/pages/node/7079403


CVE-2022-24434 An issue was discovered in the npm package dicer

https://www.ibm.com/support/pages/node/7079460


Vulnerability in d3-color affects IBM UrbanCode Velocity . WS-2022-0322

https://www.ibm.com/support/pages/node/7079484


IBM Storage Protect for Virtual Environments is vulnerable to arbitrary code execution, sensitive information disclosure, and denial of service due to CVEs in Apache Velocity, Apache Jena, and XStream (woodstox)

https://www.ibm.com/support/pages/node/7079947


QRadar Suite Software includes components with multiple known vulnerabilities

https://www.ibm.com/support/pages/node/7080058


IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Go HTML injection vulnerabilitiy [CVE-2023-24539]

https://www.ibm.com/support/pages/node/7080057


IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to libcurl and cURL. (CVE-2023-38546, CVE-2023-38545)

https://www.ibm.com/support/pages/node/7076344