Tageszusammenfassung - 30.11.2023

End-of-Day report

Timeframe: Mittwoch 29-11-2023 18:00 - Donnerstag 30-11-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer

News

FjordPhantom Android malware uses virtualization to evade detection

A new Android malware named FjordPhantom has been discovered using virtualization to run malicious code in a container and evade detection.

https://www.bleepingcomputer.com/news/security/fjordphantom-android-malware-uses-virtualization-to-evade-detection/

TRAP; RESET; POISON; - Übernahme eines Landes nach Kaminsky Art

Ein technischer Einblick in die Manipulation der DNS-Namensauflösung eines ganzen Landes.

https://sec-consult.com/de/blog/detail/uebernahme-eines-landes-nach-kaminsky-art/

CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks

A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments.

https://thehackernews.com/2023/11/cactus-ransomware-exploits-qlik-sense.html

Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data

Zoom Rooms, the cloud-based video conferencing platform by Zoom, is making headlines due to a recently discovered vulnerability. This flaw poses a significant security risk as it enables attackers to seize control of a Zoom Room-s service account, gaining unauthorized access to the victim organization-s tenant.

https://www.hackread.com/zoom-vulnerability-hackers-hijack-meetings-data/

BLUFFS: Neue Angriffe gefährden Bluetooth-Datensicherheit auf Milliarden Geräten

Durch eine Lücke im Bluetooth-Protokoll können Angreifer einfach zu knackende Schlüssel erzwingen und so vergangene wie zukünftige Datenübertragung knacken.

https://www.heise.de/-9544862

Vulnerabilities

Drupal: Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053

The Xsendfile module enables fast transfer for private files in Drupal. In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController.

https://www.drupal.org/sa-contrib-2023-053

Apache ActiveMQ: Mehrere Codeschmuggel-Lücken von Botnetbetreibern ausgenutzt

Derweil meldet das ActiveMQ-Projekt eine neue Sicherheitslücke, die ebenfalls zur Ausführung von Schadcode genutzt werden kann. Der Fehler verbirgt sich in der Deserialisierungsroutine der Jolokia-Komponente, setzt aber eine Authentisierung voraus. Während die ActiveMQ-Entwickler von einem mittleren Schweregrad ausgehen, vergeben der Warn- und Informationsdienst des BSI einen CVSS-Wert von 8.8 und stuft den Schweregrad somit als "hoch" ein. CVE ID: CVE-2022-41678

https://www.heise.de/-9544281

MOVEit Transfer Service Pack (November 2023)

This article contains the details of the specific updates within the MOVEit Transfer November 2023 Service Pack. The Service Pack contains fixes for (2) newly disclosed CVEs described below. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. CVE IDs: CVE-2023-6217, CVE-2023-6218

https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-November-2023

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023)

Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpress-vulnerability-report-november-20-2023-to-november-26-2023/

Security updates for Thursday

Security updates have been issued by Fedora (chromium, gnutls, gst-devtools, gstreamer1, gstreamer1-doc, libcap, mingw-poppler, python-gstreamer1, qbittorrent, webkitgtk, and xen), Mageia (docker, kernel-linus, and python-django), Oracle (dotnet6.0, dotnet7.0, dotnet8.0, firefox, samba, squid, and thunderbird), Red Hat (firefox, postgresql:13, squid, and thunderbird), SUSE (cilium, freerdp, java-1_8_0-ibm, and java-1_8_0-openj9), and Ubuntu (ec2-hibinit-agent, freerdp2, gimp, gst-plugins-bad1.0, openjdk-17, openjdk-21, openjdk-lts, openjdk-8, pypy3, pysha3, and u-boot-nezha).

https://lwn.net/Articles/953379/

[R1] Nessus Network Monitor 6.3.1 Fixes Multiple Vulnerabilities

Risk Factor: Critical, CVE ID: CVE-2023-5363, CVE-2021-23369, CVE-2021-23383, CVE-2018-9206

https://www.tenable.com/security/tns-2023-43

Zyxel security advisory for authentication bypass and command injection vulnerabilities in NAS products

Zyxel has released patches addressing an authentication bypass vulnerability and command injection vulnerabilities in NAS products. Users are advised to install them for optimal protection. CVEs: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-authentication-bypass-and-command-injection-vulnerabilities-in-nas-products