End-of-Day report
Timeframe: Donnerstag 13-04-2023 18:00 - Freitag 14-04-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
VoIP-Software von 3CX: Erste Analyse-Ergebnisse
3CX hat erste Ergebnisse der IT-Sicherheitsspezialisten von Mandiant bezüglich des Einbruchs und Lieferkettenangriffs auf die VoIP-Software herausgegeben.
https://heise.de/-8962595
Netzwerkausrüster Juniper verteilt viele Sicherheits-Aktualisierungen
In diversen Produkten des Netzwerkausrüsters Juniper klaffen Sicherheitslücken, die der Hersteller mit Updates schließt. Sie sollten zügig installiert werden.
https://heise.de/-8951334
Jetzt patchen! QueueJumper-Lücke gefährdet hunderttausende Windows-Systeme
Sicherheitsforscher haben nach weltweiten Scans über 400.000 potenziell angreifbare Windows-Systeme entdeckt. Sicherheitspatches sind verfügbar.
https://heise.de/-8961420
Passwortschutz umgehbar: Drupal-Modul Protected Pages verwundbar
Angreifer könnten auf eigentlich durch Passwörter abgeschottete Drupal-Websites zugreifen. Ein Sicherheitsupdate ist verfügbar.
https://heise.de/-8959518
Cloudflare: Botnetzwerke setzen auf gehackte VPS statt auf IoT
Laut Cloudflare setzen Botnetze auf gehackte Virtual Private Server (VPS), beispielsweise von Start-ups, die deutlich mehr Leistung für DDoS-Angriffe bieten.
https://www.golem.de/news/cloudflare-botnetzwerke-setzen-auf-gehackte-vps-statt-auf-iot-2304-173418.html
HTTP: Whats Left of it and the OCSP Problem, (Thu, Apr 13th)
It has been well documented that most "web" traffic these days uses TLS, either as traditional HTTPS or the more modern QUIC protocol. So it is always interesting to see what traffic remains as HTTP.
https://isc.sans.edu/diary/rss/29744
How to Set Up a Content Security Policy (CSP) in 3 Steps
What is a Content Security Policy (CSP)? A Content Security Policy (CSP) is a security feature used to help protect websites and web apps from clickjacking, cross-site scripting (XSS), and other malicious code injection attacks. At the most basic level, a CSP is a set of rules that restricts or green lights what content loads onto your website. It is a widely-supported security standard recommended to anyone who operates a website.
https://blog.sucuri.net/2023/04/how-to-set-up-a-content-security-policy-csp-in-3-steps.html
RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware
Cybersecurity researchers have detailed the tactics of a "rising" cybercriminal gang called "Read The Manual" (RTM) Locker that functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit.
https://thehackernews.com/2023/04/rtm-locker-emerging-cybercrime-group.html
Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation
The Android vulnerability CVE-2023-20963, reportedly exploited as a zero-day by a Chinese app against millions of devices, was added to CISA-s KEV catalog.
https://www.securityweek.com/google-cisa-warn-of-android-flaw-after-reports-of-chinese-app-zero-day-exploitation/
Automating Qakbot decode at scale
This is a technical post covering methodology to extract configuration data from recent Qakbot samples. I will provide background on Qakbot, walk through decode themes in an easy to visualize manner. I will then share a Velociraptor artifact to detect and automate the decode process at scale.
https://www.rapid7.com/blog/post/2023/04/14/automating-qakbot-decode/
Vulnerabilities
CISA Releases Sixteen Industrial Control Systems Advisories
CISA released sixteen Industrial Control Systems (ICS) advisories on April 13, 2023. * B. Braun Battery Pack SP with Wi-Fi * 13x Siemens * Datakit CrossCAD-WARE * Mitsubishi Electric GOC35 Series
https://www.cisa.gov/news-events/alerts/2023/04/13/cisa-releases-sixteen-industrial-control-systems-advisories
Advisory SA23P002: Several Issues in B&R VC4 Visualization
An unauthenticated network-based attacker who successfully exploits these vulnerabilities could bypass the authentication mechanism of the VC4 visualization, read stack memory or execute code on an affected device.
https://www.br-automation.com/downloads_br_productcatalogue/assets/1681046878970-en-original-1.0.pdf
Security updates for Friday
Security updates have been issued by Debian (haproxy and openvswitch), Fedora (bzip3, libyang, mingw-glib2, thunderbird, xorg-x11-server, and xorg-x11-server-Xwayland), and Ubuntu (apport, ghostscript, linux-bluefield, node-thenify, and python-flask-cors).
https://lwn.net/Articles/929107/
Cross-Site Scripting in Timesheet Tracking for Jira (SYSS-2022-050)
Über Cross-Site Scripting-Schwachstellen im Plug-in "Timesheet Tracking for Jira" kann Schadcode eingebaut werden, der von allen Besuchern ausgeführt wird.
https://www.syss.de/pentest-blog/cross-site-scripting-in-timesheet-tracking-for-jira-syss-2022-050
CPE2023-001 - Regarding vulnerabilities for Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers - 14 April 2023
Several vulnerabilities have been identified for certain Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers.
https://www.canon-europe.com/support/product-security-latest-news/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/