End-of-Day report
Timeframe: Freitag 22-12-2023 18:00 - Mittwoch 27-12-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Operation Triangulation: The last (hardware) mystery
Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs.
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/
Stealth Backdoor -Android/Xamalicious- Actively Infecting Devices
McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that-s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-android-xamalicious-actively-infecting-devices/
Gefährliche VPN-Extension für Chrome ist millionenfach installiert
Rund 1,5 Millionen Rechner sind mit Malware infiziert, die sich in den Browsern als VPN-Erweiterung einnistet. [..] Auf den Computern landet die Software über unrechtmäßig kopierte Spiele wie Grand Theft Auto, Assassins Creed und The Sims 4, die von Torrent-Seiten heruntergeladen wurden.
https://futurezone.at/digital-life/vpn-extension-chrome-gefaehrlich-millionenfach-installiert-reasonlabs/402720094
Python Keylogger Using Mailtrap.io, (Sat, Dec 23rd)
I found another Python keylogger... This is pretty common because Python has plenty of modules to implement this technique in a few lines of code [..} But, in this case, the attacker used another popular online service: mailtrap.io.
https://isc.sans.edu/diary/rss/30512
New Guide: Broken Access Control
We are excited to announce the release of our new guide What is Broken Access Control. This handy resource helps you grasp the ins-and-outs of BACs, their potential risks and operation, enabling you to effectively secure your website against unauthorized access and breaches.
https://blog.sucuri.net/2023/12/new-guide-broken-access-control.html
Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft
Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information. The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri.
https://thehackernews.com/2023/12/rogue-wordpress-plugin-exposes-e.html
Tesla: Forscher der TU Berlin verschaffen sich Zugriff auf Autopilot-Hardware
Mit Hilfe eines kurzen Spannungsabfalls konnten sich drei Doktoranden der TU Berlin Zugriff auf die Platine verschaffen, auf der Teslas Autopilot arbeitet.
https://www.heise.de/-9583095
Dual Privilege Escalation Chain: Exploiting Monitoring and Service Mesh Configurations and Privileges in GKE to Gain Unauthorized Access in Kubernetes
This article examines two specific issues in Google Kubernetes Engine (GKE). While each issue might not result in significant damage on its own, when combined they create an opportunity for an attacker who already has access to a Kubernetes cluster to escalate their privileges. This article serves as a crucial resource for Kubernetes users and administrators, offering insights on safeguarding their clusters from potential attacks.
https://unit42.paloaltonetworks.com/google-kubernetes-engine-privilege-escalation-fluentbit-anthos/
Analysis of Attacks That Install Scanners on Linux SSH Servers
AhnLab Security Emergency response Center (ASEC) analyzes attack campaigns against poorly managed Linux SSH servers and shares the results on the ASEC Blog.
https://asec.ahnlab.com/en/59972/
Vulnerabilities
Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack
A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month.
https://thehackernews.com/2023/12/critical-zero-day-in-apache-ofbiz-erp.html
Kritische Sicherheitslücke in Perl-Bibliothek: Schwachstelle bereits ausgenutzt
In einer Perl-Bibliothek zum Parsen von Excel-Dateien haben Sicherheitsforscher eine kritische Schwachstelle entdeckt, die Angreifer bereits ausgenutzt haben. [..] Die MITRE hat der Schwachstelle den Eintrag CVE-2023-7101 vergeben. Der Proof of Concept ist von März 2023. Ein Sicherheitspatch ist derzeit noch nicht verfügbar.
https://www.heise.de/-9583179
Barracuda ESG-Schwachstelle CVE-2023-7102 (Dez. 2023)
Barracuda hat bei einer laufenden Untersuchung festgestellt, dass ein Bedrohungsakteur die Schwachstelle Schwachstelle CVE-2023-7102 in der Barracuda Email Security Gateway Appliance (ESG) ausnutzt. Die Verwendung einer Bibliothek eines Drittanbieters führte zu dieser Schwachstelle, die die Barracuda ESG Appliance von 5.1.3.001 bis 9.2.1.001 betraf. Barracuda hat zum 21. Dezember 2023 ein Sicherheitsupdate für alle aktiven ESGs bereitgestellt, um die ACE-Schwachstelle zu beheben.
https://www.borncity.com/blog/2023/12/27/barracuda-esg-schwachstelle-cve-2023-7102-dez-2023/
Security updates for Tuesday
Security updates have been issued by Debian (curl, openssh, osslsigncode, and putty), Fedora (chromium, filezilla, libfilezilla, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, opensc, thunderbird, unrealircd, and xorg-x11-server-Xwayland), Gentoo (Ceph, FFmpeg, Flatpak, Gitea, and SABnzbd), Mageia (chromium-browser-stable), Slackware (kernel and postfix), and SUSE (cppcheck, distribution, gstreamer-plugins-bad, jbigkit, and ppp).
https://lwn.net/Articles/956156/
Autodesk: Multiple Vulnerabilities in Autodesk InfoWorks software
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0024
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/