End-of-Day report
Timeframe: Freitag 15-12-2023 18:00 - Montag 18-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Zwei Monate nach Meldung: SQL-Injection-Schwachstelle in 3CX noch immer ungepatcht
Statt einen Patch bereitzustellen, fordert 3CX seine Kunden nun dazu auf, aus Sicherheitsgründen ihre SQL-Datenbank-Integrationen zu deaktivieren.
https://www.golem.de/news/zwei-monate-nach-meldung-sql-injection-schwachstelle-in-3cx-noch-immer-ungepatcht-2312-180393.html
SMTP Smuggling - Spoofing E-Mails Worldwide
Introducing a novel technique for e-mail spoofing
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
SLP Denial of Service Amplification - Attacks are ongoing and rising
We build on our previous work and look into how threat actors are abusing SLP to launch reflection/amplification DDoS attacks, their evolution, and what targets are they focused on at the moment.
https://www.bitsight.com/blog/slp-denial-service-amplification-attacks-are-ongoing-and-rising
WordPress hosting service Kinsta targeted by Google phishing ads
WordPress hosting provider Kinsta is warning customers that Google ads have been observed promoting phishing sites to steal hosting credentials.
https://www.bleepingcomputer.com/news/security/wordpress-hosting-service-kinsta-targeted-by-google-phishing-ads/
Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds
Microsoft is warning of an uptick in malicious activity from an emerging threat cluster its tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.
https://thehackernews.com/2023/12/microsoft-warns-of-storm-0539-rising.html
PikaBot distributed via malicious search ads
PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads
QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry
A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.
https://thehackernews.com/2023/12/qakbot-malware-resurfaces-with-new.html
iOS 17.2: Flipper Zero kann keine iPhones mehr crashen
Apple verhindert mit iOS 17.2 offenbar, dass iPhones mit einem Flipper-Zero-Bluetooth-Exploit ge-DoSt werden können.
https://www.heise.de/-9576526
Ransomware-Gruppen buhlen zunehmend um Medien-Aufmerksamkeit
Um sich von der Konkurrenz abzusetzen und die eigenen Leistungen gewürdigt zu wissen, suchen Ransomware-Gruppen zunehmend den direkten Kontakt zu Journalisten.
https://www.heise.de/-9576774
E-Mail vom Entschädigungsamt ist Fake
Kriminelle geben sich als -Entschädigungsamt- aus und behaupten in einem E-Mail, dass Betrugsopfer mit einer Gesamtsumme von 3.500.000 Euro entschädigt werden. Antworten Sie nicht und schicken Sie keinesfalls persönliche Daten und Ausweiskopien. Sie werden erneut betrogen!
https://www.watchlist-internet.at/news/e-mail-vom-entschaedigungsamt-ist-fake/
Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains
Using machine learning to target stockpiled malicious domains, the results of our detection pipeline tool highlight campaigns from phishing to scams.
https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains/
An Example of RocketMQ Exploit Scanner, (Sat, Dec 16th)
A few months ago, RocketMQ, a real-time message queue platform, suffered of a nasty vulnerability referred as cve:2023-33246. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score: 2/60
https://isc.sans.edu/diary/rss/30492
CISA Urges Manufacturers to Eliminate Default Passwords After Recent ICS Attacks
CISA is advising device makers to stop relying on customers to change default passwords following attacks targeting water sector ICS.
https://www.securityweek.com/cisa-urges-manufacturers-to-eliminate-default-passwords-after-recent-ics-attacks/
CISA Releases Key Risk and Vulnerability Findings for Healthcare and Public Health Sector
Report provides recommended actions and mitigation strategies for HPH sector, critical infrastructure and software manufacturers
https://www.cisa.gov/news-events/news/cisa-releases-key-risk-and-vulnerability-findings-healthcare-and-public-health-sector
#StopRansomware: Play Ransomware
These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
Vulnerabilities
Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server
Four new unauthenticated remotely exploitable security vulnerabilities discovered in the popular source code management platform Perforce Helix Core Server have been remediated after being responsibly disclosed by Microsoft. Perforce Server customers are strongly urged to update to version 2023.1/2513900.
https://www.microsoft.com/en-us/security/blog/2023/12/15/patching-perforce-perforations-critical-rce-vulnerability-discovered-in-perforce-helix-core-server/
ZDI-23-1799: Ivanti Avalanche Incorrect Default Permissions Local Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of Ivanti Avalanche. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2023-41726.
http://www.zerodayinitiative.com/advisories/ZDI-23-1799/
Security updates for Monday
Security updates have been issued by Debian (freeimage, ghostscript, intel-microcode, spip, and xorg-server), Fedora (chromium, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, PyDrive2, seamonkey, and vim), Gentoo (Leptonica), Mageia (audiofile, gimp, golang, and poppler), Oracle (buildah, containernetworking-plugins, gstreamer1-plugins-bad-free, kernel, kernel-container, libxml2, pixman, podman, postgresql, postgresql:15, runc, skopeo, tracker-miners, and webkit2gtk3), and SUSE (fish).
https://lwn.net/Articles/955566/
OpenSSH Security December 18, 2023
penSSH 9.6 was released on 2023-12-18. It is available from the mirrors listed at https://www.openssh.com/. This release contains a number of security fixes, some small features and bugfixes.
https://www.openssh.com/security.html
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Nextcloud Security Advisories
https://github.com/nextcloud/security-advisories/security