Tageszusammenfassung - 11.12.2023

End-of-Day report

Timeframe: Donnerstag 07-12-2023 18:00 - Montag 11-12-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner

News

AutoSpill attack steals credentials from Android password managers

Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation.

https://www.bleepingcomputer.com/news/security/autospill-attack-steals-credentials-from-android-password-managers/

Over 30% of Log4J apps use a vulnerable version of the library

Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years.

https://www.bleepingcomputer.com/news/security/over-30-percent-of-log4j-apps-use-a-vulnerable-version-of-the-library/

Sicherheitsupdate: WordPress unter bestimmten Bedingungen angreifbar

In der aktuellen WordPress-Version haben die Entwickler eine Sicherheitslücke geschlossen.

https://www.heise.de/-9567923

DoS-Schwachstellen: Angreifer können 714 Smartphone-Modelle vom 5G-Netz trennen

Forscher haben mehrere Schwachstellen in gängigen 5G-Modems offengelegt. Damit können Angreifer vielen Smartphone-Nutzern 5G-Verbindungen verwehren.

https://www.golem.de/news/dos-schwachstellen-angreifer-koennen-714-smartphone-modelle-vom-5g-netz-trennen-2312-180183.html

40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager

In today-s post, we-ll take a look at some recent Google Tag Manager containers used in ecommerce malware, examine some newer forms of obfuscation techniques used in the malicious code, and track the evolution of the ATMZOW skimmer linked to widespread Magento website infections since 2015.

https://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html

Bluetooth-Lücke erlaubt Einschleusen von Tastenanschlägen

Eine Sicherheitslücke in Bluetooth-Stacks erlaubt Angreifern, Tastenanschläge einzuschmuggeln. Unter Android, iOS, Linux und macOS.

https://www.heise.de/-9570583

Achtung Fake-Shop: fressnapfs.shop

Kriminelle schalten auf Facebook und Instagram Werbung für einen betrügerischen Fressnapf-Online-Shop. Der gefälschte Online-Shop sieht dem echten Shop zum Verwechseln ähnlich. Auch die Internetadresse -fressnapfs.shop- scheint plausibel. Wenn Sie beim Fake-Shop bestellen, verlieren Sie Ihr Geld und erhalten keine Lieferung!

https://www.watchlist-internet.at/news/achtung-fake-shop-fressnapfsshop/

To tap or not to tap: Are NFC payments safer?

Contactless payments are quickly becoming ubiquitous - but are they more secure than traditional payment methods?

https://www.welivesecurity.com/en/cybersecurity/to-tap-or-not-to-tap-are-nfc-payments-safer/

Kaspersky entdeckt -hochkomplexen- Proxy-Trojaner für macOS

Die Malware wird über raubkopierte Software verbreitet. Varianten für Android und Windows sind offenbar auch im Umlauf.

https://www.zdnet.de/88413363/kaspersky-entdeckt-hochkomplexen-proxy-trojaner-fuer-macos/

Risiko Active Directory-Fehlkonfigurationen; Forest Druid zur Analyse

Fehlkonfigurationen und Standardeinstellungen des Active Directory können die IT-Sicherheit von Unternehmen gefährden. Bastien Bossiroy von den NVISO Labs hat sich Gedanken um dieses Thema gemacht und bereits Ende Oktober 2023 einen Beitrag zu den häufigsten Fehlkonfigurationen/Standardkonfigurationen des Active Directory, die Unternehmen gefährden, veröffentlicht. Zudem ist mir kürzlich ein Hinweis auf "Forest Druid" untergekommen, ein kostenloses Attack-Path-Management-Tool von Semperis.

https://www.borncity.com/blog/2023/12/09/risiko-active-directory-die-hufigsten-fehlkonfigurationen-standardkonfigurationen-forest-druid-zur-analyse/

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel. We-re naming this malware family -NineRAT.- NineRAT was initially built around May 2022 and was first used in this campaign as early as March 2023, almost a year later, against a South American agricultural organization. We then saw NineRAT being used again around September 2023 against a European manufacturing entity.

https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/

2023 Review: Reflecting on Cybersecurity Trends

With the season of ubiquitous year-ahead predictions around the corner, Trend Micro-s Greg Young and William Malik decided to look back at 2023 and see which forecasted cybersecurity trends came to pass and which, um, didn-t.

https://www.trendmicro.com/en_us/ciso/23/l/2023-review-reflecting-on-cybersecurity-trends.html

Analyzing AsyncRATs Code Injection into aspnet_compiler.exe Across Multiple Incident Response Cases

This blog entry delves into MxDRs unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web applications.

https://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html

Vulnerabilities

Resolved RCE in Sophos Firewall (CVE-2022-3236)

The vulnerability was originally fixed in September 2022. In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall. No action is required if organizations have upgraded their firewalls to a supported firmware version after September 2022.

https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce

Sicherheitslücken: Angreifer können Schadcode auf Qnap NAS schieben

Netzwerkspeicher von Qnap sind verwundbar. In aktuellen Versionen haben die Entwickler Sicherheitsprobleme gelöst.

https://www.heise.de/-9570375

New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164)

The Apache Struts project has released updates for the popular open-source web application framework, with fixes for a critical vulnerability that could lead to remote code execution (CVE-2023-50164).

https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/

Security updates for Friday

Security updates have been issued by Fedora (chromium), Mageia (firefox, thunderbird, and vim), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container), and Ubuntu (freerdp2, glibc, and tinyxml).

https://lwn.net/Articles/954092/

Security updates for Monday

Security updates have been issued by Debian (chromium), Fedora (bluez, chromium, and curl), Red Hat (apr), Slackware (libxml2), and Ubuntu (squid3 and tar).

https://lwn.net/Articles/954449/

Edge 120.0.2210.61 mit Sicherheitsfixes und neuer Telemetriefunktion

Microsoft hat zum 7. Dezember 2023 den Edge 120.0.2210.61 im Stable-Channel veröffentlicht. Diese Version schließt gleich drei Schwachstellen (und zudem Chromium-Sicherheitslücken). Der neue Edge kommt zudem mit neuen Richtlinien.

https://www.borncity.com/blog/2023/12/08/edge-120-0-2210-61-mit-sicherheitsfixes-und-neuer-telemetriefunktion/

Local Privilege Escalation durch MSI installer in PDF24 Creator (geek Software GmbH)

https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escalation-durch-msi-installer-in-pdf24-creator-geek-software-gmbh/