End-of-Day report
Timeframe: Freitag 24-11-2023 18:00 - Montag 27-11-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Atomic Stealer malware strikes macOS via fake browser updates
The ClearFake fake browser update campaign has expanded to macOS, targeting Apple computers with Atomic Stealer (AMOS) malware.
https://www.bleepingcomputer.com/news/security/atomic-stealer-malware-strikes-macos-via-fake-browser-updates/
EvilSlackbot: A Slack Attack Framework
To authenticate to the Slack API, each bot is assigned an api token that begins with xoxb or xoxp. More often than not, these tokens are leaked somewhere. When these tokens are exfiltrated during a Red Team exercise, it can be a pain to properly utilize them. Now EvilSlackbot is here to automate and streamline that process. You can use EvilSlackbot to send spoofed Slack messages, phishing links, files, and search for secrets leaked in slack. [..] In addition to red teaming, EvilSlackbot has also been developed with Slack phishing simulations in mind.
https://github.com/Drew-Sec/EvilSlackbot
Scans for ownCloud Vulnerability (CVE-2023-49103), (Mon, Nov 27th)
Last week, ownCloud released an advisory disclosing a new vulnerability, CVE-2023-49103 [1]. The vulnerability will allow attackers to gain access to admin passwords. To exploit the vulnerability, the attacker will use the "graphapi" app to access the output of "phpinfo". If the ownCloud install runs in a container, it will allow access to admin passwords, mail server credentials, and license keys.
https://isc.sans.edu/diary/rss/30432
WordPress Vulnerability & Patch Roundup November 2023
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
To help educate website owners on emerging threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
https://blog.sucuri.net/2023/11/wordpress-vulnerability-patch-roundup-november-2023.html
Experts Uncover Passive Method to Extract Private RSA Keys from SSH Connections
A new study has demonstrated that its possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established. [..] The researchers described the method as a lattice-based key recovery fault attack, which allowed them to retrieve the private keys corresponding to 189 unique RSA public keys that were subsequently traced to devices from four manufacturers: Cisco, Hillstone Networks, Mocana, and Zyxel.
https://thehackernews.com/2023/11/experts-uncover-passive-method-to.html
Eine Milliarde unsichere Webseiten - Vergessen Sie die Duschmatte nicht!-
In der Werbung aufgebauschte Risiken dienen eher dem Verkauf von Sicherheitsprodukten als der Sicherheit selbst. Im Gegenteil, für diese sind sie oft schädlich.
https://www.heise.de/meinung/Eine-Milliarde-unsichere-Webseiten-Vergessen-Sie-die-Duschmatte-nicht-9538304.html
BSI und weitere Cybersicherheitsbehörden veröffentlichen KI-Richtlinien
Das BSI veröffentlicht Richtlinien für sichere KI-Systeme in Zusammenarbeit mit Partnerbehörden aus Großbritannien und den USA.
https://www.heise.de/news/BSI-und-weitere-Cybersicherheitsbehoerden-veroeffentlichen-KI-Richtlinien-9540951.html?wt_mc=rss.red.ho.ho.atom.beitrag.beitrag
Free Micropatches For Microsoft Access Forced Authentication Through Firewall (0day)
On November 9, 2023, Check Point Research published an article about an "information disclosure" / "forced authentication" vulnerability in Microsoft Access that allows an attacker to obtain the victim's NTLM hash by having them open a Microsoft Office document (docx, rtf, accdb, etc.) with an embedded Access database.
https://blog.0patch.com/2023/11/free-micropatches-for-microsoft-access.html
Vorsicht vor Fake-Shops für Skins
Beim Online-Shop fngalaxy.de finden Sie Skins und Accounts für Fortnite. -Renegade Raider-, -OG Ghoul Trooper- oder -Black Knight- werden dort vergünstigt angeboten. Wir raten aber von einer Bestellung ab, da Sie nur mit einem Paysafecard- oder Amazon-Code bezahlen können und Ihre Bestellung nicht erhalten.
https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-fuer-skins/
Warnung vor betrügerischen Mails im Namen von Finanz Online
Die täuschend echt wirkenden E-Mails verlinken auf eine gefälschte Website, auf der die Opfer wiederum ihre Bankdaten eingeben sollen
https://www.derstandard.at/story/3000000197015/warnung-betrugs-mails-finanzonline
LKA-Warnung vor gefälschten Temu-Benachrichtigungen
Das Landeskriminalamt Niedersachsen hat die Tage eine Warnung herausgegeben, die Kunden des chinesischen Billig-Versandhändlers Temu betrifft. Betrüger versuchen Empfänger mit der Vorspiegelung falscher Tatsachen in Form einer vorgeblichen Temu-Benachrichtigung zur Preisgabe persönlicher Informationen zu bringen. Hier ein kurzer Überblick [..]
https://www.borncity.com/blog/2023/11/26/lka-warnung-vor-geflschten-temu-benachrichtigungen/
Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)
While monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center (ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware.
https://asec.ahnlab.com/en/59318/
Vulnerabilities
CVE-2023-34053, CVE-2023-34055: Spring Framework and Spring Boot vulnerabilities
The Spring Framework 6.0.14 release shipped on November 16th includes a fix for CVE-2023-34053. The Spring Boot 2.7.18 release shipped on November 23th includes fixes for CVE-2023-34055. Users are encouraged to update as soon as possible.
https://spring.io/blog/2023/11/27/cve-2023-34053-cve-2023-34055-spring-framework-and-spring-boot
Security updates for Monday
Security updates have been issued by Debian (freeimage, gimp, gst-plugins-bad1.0, node-json5, opensc, python-requestbuilder, reportbug, strongswan, symfony, thunderbird, and tiff), Fedora (chromium, galera, golang, kubernetes, mariadb, python-asyncssh, thunderbird, vim, and webkitgtk), Gentoo (AIDE, Apptainer, GLib, GNU Libmicrohttpd, Go, GRUB, LibreOffice, MiniDLNA, multipath-tools, Open vSwitch, phpMyAdmin, QtWebEngine, and RenderDoc), Slackware (vim), SUSE (gstreamer-plugins-bad, java-1_8_0-ibm, openvswitch, poppler, slurm, slurm_22_05, slurm_23_02, sqlite3, vim, webkit2gtk3, and xrdp), and Ubuntu (openvswitch and thunderbird).
https://lwn.net/Articles/952923/
MISP 2.4.179 released with a host of improvements a security fix and some new tooling.
MISP 2.4.179 released with a host of improvements a security fix and some new tooling.First baby steps taken towards LLM integration.
https://github.com/MISP/MISP/releases/tag/v2.4.179