End-of-Day report
Timeframe: Montag 20-11-2023 18:00 - Dienstag 21-11-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits
The Kinsing threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits."Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the hosts resources to mine cryptocurrencies like Bitcoin, [..]
https://thehackernews.com/2023/11/kinsing-hackers-exploit-apache-activemq.html
How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography
Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them.
https://thehackernews.com/2023/11/how-multi-stage-phishing-attacks.html
Gefälschte Zeitungsartikel bewerben betrügerische Investment-Angebote
Kriminelle fälschen Webseiten von Medien wie oe24 und ORF und füllen diese mit Fake-News. In den gefälschten Artikeln wird eine Möglichkeit beworben, wie man schnell reich wird. Angeblich geben Christoph Grissemann, Miriam Weichselbraun oder Armin Assinger Investitionstipps und erklären, dass jeder Mensch mit nur 250 Euro in wenigen Monaten eine Million machen kann.
https://www.watchlist-internet.at/news/gefaelschte-zeitungsartikel-bewerben-betruegerische-investment-angebote/
CISA, FBI, MS-ISAC, and ASD-s ACSC Release Advisory on LockBit Affiliates Exploiting Citrix Bleed
Today, the (CISA), (FBI), (MS-ISAC), and Australian (ASD-s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: LockBit Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (along with an accompanying analysis report MAR-10478915-1.v1 Citrix Bleed), in response to LockBit 3.0 ransomware affiliates and multiple threat actor groups exploiting CVE-2023-4966. Labeled Citrix Bleed, the vulnerability affects Citrix-s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
https://www.cisa.gov/news-events/alerts/2023/11/21/cisa-fbi-ms-isac-and-asds-acsc-release-advisory-lockbit-affiliates-exploiting-citrix-bleed
Vulnerabilities
Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets
Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underlying operating system, and configure central config server settings.
CVE Identifiers: CVE-2023-44353, CVE-2023-29300, CVE-2023-38203, CVE-2023-38204
https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/
Security updates for Tuesday
Security updates have been issued by Debian (activemq, strongswan, and wordpress), Mageia (u-boot), SUSE (avahi, frr, libreoffice, nghttp2, openssl, openssl1, postgresql, postgresql15, postgresql16, python-Twisted, ucode-intel, and xen), and Ubuntu (avahi, hibagent, nodejs, strongswan, tang, and webkit2gtk).
https://lwn.net/Articles/952088/
Synology-SA-23:16 SRM (PWN2OWN 2023)
The vulnerabilities allow man-in-the-middle attackers to execute arbitrary code or access intranet resources via a susceptible version of Synology Router Manager (SRM).A vulnerability reported by PWN2OWN 2023 has been addressed.
https://www.synology.com/en-global/support/security/Synology_SA_23_16
[nextcloud]: Server-Side Request Forgery (SSRF) in Mail app
An attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4pp4-m8ph-2999
[nextcloud]: DNS pin middleware can be tricked into DNS rebinding allowing SSRF
The DNS pin middleware was vulnerable to DNS rebinding allowing an attacker to perform SSRF as a final result.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f69-f9jg-4x3v
[nextcloud]: user_ldap app logs user passwords in the log file on level debug
When the log level was set to debug the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35p6-4992-w5fr
[nextcloud]: Can enable/disable birthday calendar for any user
An attacker could enable and disable the birthday calendar for any user on the same server.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3
[nextcloud]: Admins can change authentication details of user configured external storage
It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6
It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2448-44rp-c7hh
[nextcloud]: Self XSS when pasting HTML into Text app with Ctrl+Shift+V
When a user is tricked into copy pasting HTML code without markup (Ctrl+Shift+V) the markup will actually render.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p7g9-x25m-4h87
[nextcloud]: HTML injection in search UI when selecting a circle with HTML in the display name
An attacker could insert links into circles name that would be opened when clicking the circle name in a search filter.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wgpw-qqq2-gwv6
[nextcloud]: Users can make external storage mount points inaccessible for other users
A malicious user could update any personal or global external storage, making them inaccessible for everyone else as well.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267
Zyxel security advisory for out-of-bounds write vulnerability in SecuExtender SSL VPN Client software
The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software could allow a local authenticated user to gain a privilege escalation by sending a crafted CREATE message.
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-out-of-bounds-write-vulnerability-in-secuextender-ssl-vpn-client-software
WAGO: Remote Code execution vulnerability in managed Switches
https://cert.vde.com/de/advisories/VDE-2023-037/
PHOENIX CONTACT: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products
https://cert.vde.com/de/advisories/VDE-2023-062/
Multiple vulnerabilities on [Bosch Rexroth] ctrlX HMI / WR21
https://psirt.bosch.com/security-advisories/bosch-sa-175607.html
IBM Sterling B2B Integrator is affected by vulnerability in JDOM (CVE-2021-33813)
https://www.ibm.com/support/pages/node/7080105
IBM Sterling B2B Integrator dashboard is vulnerable to cross-site request forgery (CVE-2022-35638)
https://www.ibm.com/support/pages/node/7080104
IBM Sterling B2B Integrator affected by FasterXML Jackson-data vulnerabilities (CVE-2022-42003, CVE-2022-42004)
https://www.ibm.com/support/pages/node/7080107
IBM Sterling B2B Integrator affected by XStream security vulnerabilities
https://www.ibm.com/support/pages/node/7080106
IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty.
https://www.ibm.com/support/pages/node/7080117
IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty
https://www.ibm.com/support/pages/node/7080118
Multiple security vulnerabilities have been identified in DB2 JDBC driver shipped with IBM Tivoli Business Service Manager
https://www.ibm.com/support/pages/node/7080122
There is an Apache vulnerability in Liberty used by the IBM Maximo Manage application in the IBM Maximo Application Suite (CVE-2023-24998)
https://www.ibm.com/support/pages/node/7080157
There is a vulnerability in jetty-http-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049)
https://www.ibm.com/support/pages/node/7080156
There is a vulnerability in jetty-server-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049)
https://www.ibm.com/support/pages/node/7080155
Multiple security vulnerabilities in Snake YAML affect IBM Sterling B2B Integrator
https://www.ibm.com/support/pages/node/7080177
IBM Sterling B2B Integrator affected by remote code execution due to Snake Yaml (CVE-2022-1471)
https://www.ibm.com/support/pages/node/7080174
IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-25682)
https://www.ibm.com/support/pages/node/7080172
IBM Sterling B2B Integrator is affected by sensitive information exposure due to Apache James MIME4J (CVE-2022-45787)
https://www.ibm.com/support/pages/node/7080175
IBM Sterling B2B Integrator is vulnerable to denial of service due to Apache Commons FileUpload (CVE-2023-24998)
https://www.ibm.com/support/pages/node/7080176