Tageszusammenfassung - 22.11.2023

End-of-Day report

Timeframe: Dienstag 21-11-2023 18:00 - Mittwoch 22-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner

News

HrServ - Previously unknown web shell used in APT attack

In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021.

https://securelist.com/hrserv-apt-web-shell/111119/


ClearFake Campaign Expands to Deliver Atomic Stealer on Macs Systems

The macOS information stealer known as Atomic is now being delivered to target via a bogus web browser update chain tracked as ClearFake."This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes Jérôme Segura said in a Tuesday analysis.

https://thehackernews.com/2023/11/clearfake-campaign-expands-to-deliver.html


Lumma malware can allegedly restore expired Google auth cookies

The Lumma information-stealer malware (aka LummaC2) is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. [..] This new feature allegedly introduced in recent Lumma releases is yet to be verified by security researchers or Google, so whether or not it works as advertised remains uncertain.

https://www.bleepingcomputer.com/news/security/lumma-malware-can-allegedly-restore-expired-google-auth-cookies/


Windows Hello Fingerprint Authentication Bypassed on Popular Laptops

Researchers have tested the fingerprint sensors used for Windows Hello on three popular laptops and managed to bypass them.

https://www.securityweek.com/windows-hello-fingerprint-authentication-bypassed-on-popular-laptops/


-Ich möchte meine Bankdaten ändern-: Dieses Mail an die Personalabteilung könnte Betrug sein

Kriminelle geben sich als Mitarbeiter:innen Ihres Unternehmens aus und bitten um Änderung Ihrer Bankdaten für die Gehaltsüberweisung. Wird das E-Mail nicht als Fake erkannt, wird das Gehalt der jeweiligen Mitarbeiter:innen auf das Bankkonto von Kriminellen überwiesen. Wir zeigen Ihnen, woher Kriminelle die Daten kennen und wie Sie sich schützen.

https://www.watchlist-internet.at/news/ich-moechte-meine-bankdaten-aendern-dieses-mail-an-die-personalabteilung-koennte-betrug-sein/


The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets

Exposed Kubernetes secrets pose a critical threat of supply chain attack. Aqua Nautilus researchers found that the exposed Kubernetes secrets of hundreds of organizations and open-source projects allow access to sensitive environments in the Software Development Life Cycle (SDLC) and open a severe supply chain attack threat. Among the companies were SAP-s Artifacts management system with over 95 million, two top blockchain companies, and various other fortune-500 companies.

https://blog.aquasec.com/the-ticking-supply-chain-attack-bomb-of-exposed-kubernetes-secrets

Vulnerabilities

Multiple Vulnerabilities in m-privacy TightGate-Pro

There are several vulnerabilities in the server which enables attackers to view the VNC sessions of other users, infect the VNC session with keyloggers and start internal phishing attacks. Additionally, a TightGate-Pro administrator can push malicious PDFs to the endpoint of the user. Furthermore, the update servers which are only reachable via an SSH-tunnel are severely outdated (2003). CVEs: CVE-2023-47250, CVE-2023-47251

https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-m-privacy-tightgate-pro/


Several Critical Vulnerabilities including Privilege Escalation, Authentication Bypass, and More Patched in UserPro WordPress Plugin

On May 1, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for multiple high and critical severity vulnerabilities we discovered in Kirotech-s UserPro plugin, which is actively installed on more than 20,000 WordPress websites [..] We made an initial attempt to contact Kirotech, the vendor of UserPro, on May 1, 2023, but we did not receive a response until May 10, 2023, after many additional attempts. After providing full disclosure details, the developer released the first patch on July 27, 2023, and the final patch on October 31, 2023.

https://www.wordfence.com/blog/2023/11/several-critical-vulnerabilities-including-privilege-escalation-authentication-bypass-and-more-patched-in-userpro-wordpress-plugin/


Security updates for Wednesday

Security updates have been issued by Debian (gimp), Fedora (audiofile and firefox), Mageia (postgresql), Red Hat (binutils, c-ares, fence-agents, glibc, kernel, kernel-rt, kpatch-patch, libcap, libqb, linux-firmware, ncurses, pixman, python-setuptools, samba, and tigervnc), Slackware (kernel and mozilla), SUSE (apache2-mod_jk, avahi, container-suseconnect, java-1_8_0-openjdk, libxml2, openssl-1_0_0, openssl-1_1, openvswitch, python3-setuptools, strongswan, ucode-intel, and util-linux), and Ubuntu (frr, gnutls28, hibagent, linux, linux-aws, linux-aws-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-oem-6.1, mosquitto, rabbitmq-server, squid, and tracker-miners).

https://lwn.net/Articles/952312/


Mozilla Releases Security Updates for Firefox and Thunderbird

https://www.cisa.gov/news-events/alerts/2023/11/22/mozilla-releases-security-updates-firefox-and-thunderbird


Fix for BIRT Report Engine that is vulnerable due to nested jtidy.jar r938

https://www.ibm.com/support/pages/node/7081112


Vulnerability in Apache HTTP Server affects IBM HTTP Server used by IBM Rational ClearQuest

https://www.ibm.com/support/pages/node/7081354


IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities

https://www.ibm.com/support/pages/node/7081403