End-of-Day report
Timeframe: Dienstag 19-12-2023 18:00 - Mittwoch 20-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Datenleckseite beschlagnahmt: Das FBI und die ALPHV-Hacker spielen Katz und Maus
Das FBI hat die Datenleckseite der Ransomwaregruppe ALPHV beschlagnahmt. Die Hacker haben jedoch auch noch Zugriff darauf. Sie drohen nun mit neuen Regeln.
https://www.golem.de/news/datenleckseite-beschlagnahmt-das-fbi-und-die-alphv-hacker-spielen-katz-und-maus-2312-180504.html
Remote Encryption Attacks Surge: How One Vulnerable Device Can Spell Disaster
Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns."Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," [...]
https://thehackernews.com/2023/12/remote-encryption-attacks-surge-how-one.html
Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla
First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office.
https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla
New MetaStealer malvertising campaigns
In recent malvertising campaigns, threat actors dropped the MetaStealer information stealer, more or less coinciding with a new version release.
https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns
BSI und ANSSI veröffentlichen Publikation zu Remote Identity Proofing
Das BSI hat zusammen mit der französischen Behörde für IT-Sicherheit, ANSSI, eine gemeinsame Publikation veröffentlicht. Die diesjährige Veröffentlichung beschäftigt sich mit den Gefahren und möglichen Angriffsvektoren, die in den verschiedenen Phasen der videobasierten Identifikation entstehen.
https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/ANSSI_BSI_Remote_Identity_Proofing_231220.html
Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript Can Steal Your Secrets
Malicious JavaScript is used to steal PPI via survey sites, web chat APIs and more. We detail how JavaScript malware is implemented and evades detection.
https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-data/
Behind the scenes: JaskaGO-s coordinated strike on macOS and Windows
In recent developments, a sophisticated malware stealer strain crafted in the Go programming language has been discovered by AT&T Alien Labs, posing a severe threat to both Windows and macOS operating systems. As of the time of publishing of this article, traditional antivirus solutions have low or even non-existent detection rates, making it a stealthy and formidable adversary.
https://cybersecurity.att.com/blogs/labs-research/behind-the-scenes-jaskagos-coordinated-strike-on-macos-and-windows
Spike in Atlassian Exploitation Attempts: Patching is Crucial
In the blog we discuss the importance of securing your Atlassian products, provide valuable insights on various IP activities, and offer friendly advice on proactive measures to protect your organization.
https://www.greynoise.io/blog/spike-in-atlassian-exploitation-attempts-patching-is-crucial
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors
Earlier this year, Mandiant-s Managed Defense threat hunting team identified an UNC2975 malicious advertising (-malvertising-) campaign presented to users in sponsored search engine results and social media posts, consistent with activity reported in From DarkGate to DanaBot. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and leveraged malicious advertisements to affect multiple organizations, which resulted in the delivery of the DANABOT and DARKGATE backdoors.
https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors
Vulnerabilities
ZDI-23-1810: QEMU NVMe Out-Of-Bounds Read Information Disclosure Vulnerability
This vulnerability allows local attackers to disclose sensitive information on affected installations of QEMU. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.0.
https://www.zerodayinitiative.com/advisories/ZDI-23-1810/
ZDI-23-1813: Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8.
https://www.zerodayinitiative.com/advisories/ZDI-23-1813/
Sitefinity Security Advisory for Addressing Security Vulnerability CVE-2023-6784, December 2023
The Progress Sitefinity team recently discovered a MEDIUM CVSS vulnerability in the Sitefinity application available under # CVE-2023-6784. A fix has been developed and tested - and is now available for download. Below you can find information about the discoveries and version-specific product updates for supported versions.
https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023
Security updates for Wednesday
Security updates have been issued by Fedora (ansible and ansible-core), Gentoo (Minecraft Server and thunderbird), Mageia (fusiondirectory), Red Hat (gstreamer1-plugins-bad-free, opensc, and openssl), Slackware (libssh and mozilla), SUSE (avahi, firefox, ghostscript, gstreamer-plugins-bad, mariadb, openssh, openssl-1_1-livepatches, python-aiohttp, python-cryptography, xorg-x11-server, and xwayland), and Ubuntu (libssh and openssh).
https://lwn.net/Articles/955786/
Apple Releases Security Updates for Multiple Products
Apple has released security updates to address vulnerabilities in Safari, iOS, iPadOS, and macOS Sonoma. A cyber threat actor could exploit one of these vulnerabilities to obtain sensitive information. CISA encourages users and administrators to review Apple security releases and apply necessary updates.
https://www.cisa.gov/news-events/alerts/2023/12/20/apple-releases-security-updates-multiple-products
New Ivanti Avalanche Vulnerabilities
As part of our ongoing strengthening of the security of our products we have discovered twenty new vulnerabilities in the Ivanti Avalanche on-premise product. We are reporting these vulnerabilities as the CVE numbers listed below. These vulnerabilities impact all supported versions of the products - Avalanche versions 6.3.1 and above. Older versions/releases are also at risk. This release corrects multiple memory corruption vulnerabilities, covered in these security advisories: [...]
https://www.ivanti.com/blog/new-ivanti-avalanche-vulnerabilities
Multiple vulnerabilites in D-Link G416 routers
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10367
K000137965 : Apache Tomcat vulnerability CVE-2023-45648
https://my.f5.com/manage/s/article/K000137965
K000137966 : Apache Tomcat vulnerability CVE-2023-42794
https://my.f5.com/manage/s/article/K000137966
IBM Security Guardium is affected by multiple vulnerabilities. [CVE-2022-42889, CVE-2023-35001, CVE-2023-32233]
https://www.ibm.com/support/pages/node/7095693
IBM Security Guardium is affected by multiple vulnerabilities
https://www.ibm.com/support/pages/node/7087688
IBM Maximo Application Suite - IoT Component uses Pygments-2.14.0-py3-none-any.whl which is vulnerable to CVE-2022-40896
https://www.ibm.com/support/pages/node/7099774
IBM Maximo Application Suite uses urllib3-1.26.16-py2.py3-none-any.whl which is vulnerable to CVE-2023-43804
https://www.ibm.com/support/pages/node/7099772
IBM Sterling B2B Integrator EBICs client affected by multiple issues due to Jettison
https://www.ibm.com/support/pages/node/7099862
IBM Security Guardium is affected by a guava-18.0.jar vulnerability (CVE-2023-2976)
https://www.ibm.com/support/pages/node/7099896
Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow
https://www.ibm.com/support/pages/node/7100525
IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-39975, CVE-2023-34042)
https://www.ibm.com/support/pages/node/7100884